私有云搭建 OpenStack(centos7.3, centos-release-openstack-liberty) (中篇)
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了私有云搭建 OpenStack(centos7.3, centos-release-openstack-liberty) (中篇)相关的知识,希望对你有一定的参考价值。
Keystone
yum install openstack-keystonehttpd mod_wsgi memcached python-memcached -y
修改keystone的配置文件
vi /etc/keystone/keystone.conf
admin_token= 8ec2b4acae6c3479574c (通过openssl rand -hex 10产生的随机数)(用作无用户时,创建用户来链接,此内容使用openssl随机产生)
#Deprecated group/name - [sql]/connection
#connection = <None>
connection =mysql://keystone:[email protected]192.168.1.31/keystone
(用作链接数据库,三个keysthone分别为keystone组件,keystone用户名,mysql中的keysthone库名)
# DEPRECATED: If set to false, the logging level will be set toWARNING instead
# of the default INFO level.(boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
[[email protected] keystone]# grep ‘^[a-z]‘ /etc/keystone/keystone.conf
admin_token = 8ec2b4acae6c3479574c
connection = mysql://keystone:[email protected]/keystone
servers = 192.168.1.31:11211
driver = sql
provider = uuid
driver = memcache
切换到keystone用户,导入keystoe数据库
[[email protected] ~]#su -s /bin/sh -c "keystone-manage db_sync" keystone(因为keystone程序启动时需要以keystone用户写入到该keystone.log文件,如果用root执行,这里keystone程序就不能以keystone用户权限写入到该log文件,以至于程序无法启动。)
[[email protected] ~]#cd /var/log/keystone/
[[email protected] keystone]# ll
total 8
-rw-r--r--. 1 keystonekeystone 6754 Nov 3 08:26 keystone.log
[[email protected] keystone]# mysql-h 192.168.1.31 -u keystone -pkeystone
MariaDB [(none)]> use keystone;
Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| mapping |
| migrate_version |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
33 rows in set (0.00 sec)
删除数据库(这里删除会和表一起全部删除)
mysql -h192.168.1.31 -u keystone -pkeystone
MariaDB [(none)]>dropdatabase keystone;
然后创建数据库(这里只是创建一个数据名字,并没有实际的表)
MariaDB [(none)]>createdatabase keystone;
同步keystone;
[email protected]:~# keystone-managedb_sync;
如果数据库同步后没数据,执行以下
[[email protected] yum.repos.d]# mysql-uroot-p123456
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO‘keystone‘@‘localhost‘ IDENTIFIED BY ‘keystone‘;
GRANT ALLPRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘keystone‘;
添加一个apache的wsgi-keystone配置文件,其中5000端口是提供该服务的,35357是为admin提供管理用的
vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-publicprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias //usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-adminprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias //usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.logcombined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
配置apache的servername,如果不配置servername,会影响keystone服务
#ServerName www.example.com:80
[[email protected] etc]#systemctl enable memcached
Created symlink from/etc/systemd/system/multi-user.target.wants/memcached.service to/usr/lib/systemd/system/memcached.service.
[[email protected] etc]# systemctl enable httpd
Created symlink from/etc/systemd/system/multi-user.target.wants/httpd.service to/usr/lib/systemd/system/httpd.service.
[[email protected] etc]# systemctl start httpd
[[email protected] etc]#netstat-ntlp |grep http
tcp6 0 0 :::80 :::* LISTEN
42732/httpd
42732/httpd
tcp6 0 0 :::5000 :::* LISTEN
42732/httpd
keystone监听的两个端口35357和5000。 35357用于管理,5000用于普通用户。
[[email protected] etc]#systemctlstart memcached
创建用户并连接keystone,在这里可以使用两种方式,通过keystone -help后家参数的方式,或者使用环境变量env的方式,下面就将使用环境变量的方式,分别设置了token,API及控制版本(SOA种很适用)
[[email protected] etc]# export OS_TOKEN=8ec2b4acae6c3479574c
[[email protected] etc]# export OS_URL=http://192.168.1.31:35357/v3
[[email protected] etc]# exportOS_IDENTITY_API_VERSION=3
不同版本不同,liberty版不需要先创建域而ocata版需要先创建域
创建admin项目(project)
命令格式:openstack project --domain 域 --description"描述" 项目名
[[email protected] keystone]# openstackproject create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | default |
| enabled | True |
| id | abf7e8053ffd49f5a741a7224141f69d |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
创建admin用户(user)并设置密码(生产环境一定设置一个复杂的)
[[email protected] keystone]# openstack user create --domain default--password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 6c1489bda8154caebc0620ed234f2e5e |
| name | admin |
+-----------+----------------------------------+
创建admin的角色(role)
[[email protected] keystone]# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 68e878bcce234ef4abaeedbb9232108e |
| name | admin |
+-------+----------------------------------+
把admin用户加到admin项目,赋予admin角色,把角色,项目,用户关联起来
[[email protected] keystone]#openstack role add --project admin --user admin admin
创建一个普通用户demo,demo项目,角色为普通用户(uesr),并把它们关联起来
在Openstack中一般的任务我们都应该使用一个没有太多权限的user来操作。在这里我们创建一个demo user。
[[email protected] keystone]# openstack project create --domain default--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 84451e8f3b5b47179a1a95598b569571 |
| is_domain | False |
| name | demo |
| parent_id | None |
+-------------+----------------------------------+
[[email protected] keystone]# openstack usercreate --domain default --password=demo demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | a1ec581dfa314518a8796bd86dcb67bf |
| name | demo |
+-----------+----------------------------------+
[[email protected] keystone]# openstack rolecreate user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 61f89260e105474f9af878c1852c8ac3 |
| name | user |
+-------+----------------------------------+
[[email protected] keystone]# openstack roleadd --project demo --user demo user
创建一个service的项目,此服务用来管理nova,neuturn,glance等组件的服务
[[email protected] keystone]# openstack project create --domain default--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | a42ec1a8e7174b89a9b864262975eeee |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
查看创建的用户,角色,项目
[[email protected] keystone]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 6c1489bda8154caebc0620ed234f2e5e | admin|
| a1ec581dfa314518a8796bd86dcb67bf |demo |
+----------------------------------+-------+
[[email protected] keystone]# openstackproject list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 84451e8f3b5b47179a1a95598b569571 |demo |
| a42ec1a8e7174b89a9b864262975eeee |service |
| abf7e8053ffd49f5a741a7224141f69d |admin |
+----------------------------------+---------+
[[email protected] keystone]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 61f89260e105474f9af878c1852c8ac3 |user |
| 68e878bcce234ef4abaeedbb9232108e | admin|
+----------------------------------+-------+
注册keystone服务,虽然keystone本身是搞注册的,但是自己也需要注册服务
创建keystone认证
[[email protected] keystone]# openstackservice create --name keystone --description "OpenStack Identity"identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | fb040d8bfecd4b48a6e544bb18783940 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
[[email protected] keystone]# openstackendpoint create --region RegionOne identity publichttp://192.168.1.31:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 52f5efab113546f290e82ef5800045ef |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fb040d8bfecd4b48a6e544bb18783940 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.31:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] keystone]# openstackendpoint create --region RegionOne identity internalhttp://192.168.1.31:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 5d5370d863334671a7cb84fbf5f36c74 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fb040d8bfecd4b48a6e544bb18783940 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.31:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] keystone]# openstackendpoint create --region RegionOne identity adminhttp://192.168.1.31:35357/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7eff61485acd4b0ab9c191c55923457d |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fb040d8bfecd4b48a6e544bb18783940 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.31:35357/v2.0 |
+--------------+----------------------------------+
查看创建的endpoint
[[email protected]]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled |Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| 52f5efab113546f290e82ef5800045ef |RegionOne | keystone | identity | True | public | http://192.168.1.31:5000/v2.0 |
| 5d5370d863334671a7cb84fbf5f36c74 |RegionOne | keystone | identity | True | internal |http://192.168.1.31:5000/v2.0 |
| 7eff61485acd4b0ab9c191c55923457d |RegionOne | keystone | identity | True | admin | http://192.168.1.31:35357/v2.0|
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
链接到keystone,请求token,在这里由于已经添加了用户名和密码,就不在使用token,所有就一定要取消环境变量了
[[email protected] keystone]# unset OS_TOKEN
[[email protected] keystone]#unset OS_URL
[[email protected] keystone]# openstack--os-auth-url http://192.168.1.31:5000/v3 --os-project-domain-id default--os-user-domain-id default --os-project-name demo --os-username demo tokenissue
Password:
An unexpected error prevented the serverfrom fulfilling your request. (HTTP 500) (Request-ID:req-6b44399a-fb8b-4eda-81ad-1c5c44468940)
启动keystone有问题可以打开debug将false修改为true将开启
[[email protected] ~]# grep -n "#debug"/etc/keystone/keystone.conf
[[email protected] keystone]# openstack--os-auth-url http://192.168.1.31:5000/v3 --os-project-domain-id default--os-user-domain-id default --os-project-name demo --os-username demo tokenissue
Password:
Maximum lock attempts on_lockusertokens-feeaa25933814b838141fc31cfe721f8 occurred. (Disable debug modeto suppress these details.) (HTTP 500) (Request-ID: req-b52b44de-3f50-4f90-b0d8-9a4aef34f89a)
原因:获取的token无效引起的。修改keystone.conf文件中的[token]区域。
vi /etc/keystone/keystone.conf
provider= uuid
修改后的配置,将token存放在sql数据库中
provider = uuid
driver = sql
成功:
[[email protected] keystone]# openstack--os-auth-url http://192.168.1.31:5000/v3 \
> --os-project-domain-iddefault --os-user-domain-id default \
> --os-project-name demo--os-username demo token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-11-10T07:54:58.959179Z |
| id | 830179f0a8b94f52876da0b2c907598c |
| project_id |ac511260bc79441ab50c59a836f36f0b |
| user_id | feeaa25933814b838141fc31cfe721f8 |
+------------+----------------------------------+
[[email protected] keystone]# openstack--os-auth-url http://192.168.1.31:35357/v3 \
> --os-project-domain-id default--os-user-domain-id default \
> --os-project-name admin --os-usernameadmin token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-11-10T08:00:58.375897Z |
| id | 618cc1bfe8414672b511f524acdeefdb |
| project_id |78b63f28f4924b6aa9f28ede88e5622f |
| user_id | b5dd61edaf474cab9e72c496a1d6608c |
+------------+----------------------------------+
最后发现最终的原因如下:
[[email protected] keystone]# netstat-nalt |grep 11211
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:33714 127.0.0.1:11211 ESTABLISHED
tcp 0 0 127.0.0.1:33702 127.0.0.1:11211 ESTABLISHED
tcp 0 0 127.0.0.1:11211 127.0.0.1:33702 ESTABLISHED
tcp 0 0 127.0.0.1:11211 127.0.0.1:33714 ESTABLISHED
tcp6 0 0 ::1:11211 :::* LISTEN
发现memcache的11211端口并没在192.168.1.31上监听
[[email protected] keystone]#vi /etc/sysconfig/memcached (添加192.168.1.31)
OPTIONS="-l127.0.0.1,::1,192.168.1.31"
[[email protected] keystone]# vi/etc/keystone/keystone.conf
provider = uuid
driver = memcache
说明下:
keystone默认使用SQL数据库存储token,token默认有效期为1天(24h)。
Openstack中每个组件执行的每次命令(请求)都需要token来验证,每次访问都会创建token,增长速度非常快,token表数据也会越来越多。
随着时间的推移,无效的记录越来越多,企业私有云几天的量就可以几万条、几十万条。这么多无效的token导致针对token表的SQL语句变慢,性能也会变差!
这就需要手动写个定时脚本来清理token表。
但是更好的方法当然是将token存放在memcache缓存中,利用memcached特性,自动删除不使用的缓存:
[memcache]
servers = 192.168.1.31:11211
[token]
provider = uuid
driver = memcache
默认的配置是:
[token]
provider = uuid
driver = sql
配置admin和demo用户的环境变量,并添加执行权限,以后执行命令,直接source一下就行了
[[email protected] keystone]#viadmin-openrc.sh
exportOS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.1.31:35357/v3
export OS_IDENTITY_API_VERSION=3
[[email protected] keystone]# vi demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
exportOS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
exportOS_AUTH_URL=http://192.168.1.31:5000/v3
exportOS_IDENTITY_API_VERSION=3
[[email protected] keystone]# chmod+x demo-openrc.sh
[[email protected] keystone]# chmod +x admin-openrc.sh
[[email protected] keystone]#source admin-openrc.sh
[[email protected] keystone]#openstacktoken issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires |2017-11-10T09:28:15.176708Z |
| id |a53d24f02d1f4b86a62169fcfda87cb9 |
| project_id | 78b63f28f4924b6aa9f28ede88e5622f |
| user_id |b5dd61edaf474cab9e72c496a1d6608c |
+------------+----------------------------------+
[[email protected] keystone]#source demo-openrc.sh
[[email protected] keystone]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-11-10T09:25:59.282524Z |
| id | 34b36c0b046e49b0953b8ab968f58293 |
| project_id | ac511260bc79441ab50c59a836f36f0b|
| user_id | feeaa25933814b838141fc31cfe721f8 |
+------------+----------------------------------+
Glance
yum install openstack-glance python-glancepython-glanceclient -y
[[email protected] ~]# vi /etc/glance/glance-api.conf
connection=mysql://glance:[email protected]/glance
[[email protected] ~]# vi/etc/glance/glance-registry.conf
connection=mysql://glance:[email protected]/glance
[[email protected] ~]# su -s /bin/sh -c"glance-manage db_sync" glance
No handlers could be found for logger "oslo_config.cfg" (可以忽略)
/usr/lib64/python2.7/site-packages/sqlalchemy/engine/default.py:450:Warning: Duplicate index `ix_image_properties_image_id_name`. This isdeprecated and will be disallowed in a future release.
cursor.execute(statement, parameters)
[[email protected] ~]#mysql -h 192.168.1.31 -u glance -pglance
MariaDB [(none)]> useglance;
Database changed
MariaDB [glance]> showtables;
+----------------------------------+
| Tables_in_glance |
+----------------------------------+
| artifact_blob_locations |
| artifact_blobs |
| artifact_dependencies |
| artifact_properties |
| artifact_tags |
| artifacts |
| image_locations |
| image_members |
| image_properties |
| image_tags |
| images |
| metadef_namespace_resource_types |
| metadef_namespaces |
| metadef_objects |
| metadef_properties |
| metadef_resource_types |
| metadef_tags |
| migrate_version |
| task_info |
| tasks |
+----------------------------------+
20 rows in set (0.00 sec)
配置glance连接keystone,对于keystone,每个服务都要有一个用户连接keystone
[[email protected] ~]# source admin-openrc.sh
[[email protected] ~]# openstack user create--domain default --password=glance glance
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 6ce507f5ff57409683c24b33faf6250f |
| name | glance |
+-----------+----------------------------------+
[[email protected] ~]# openstack role add--project service --user glance admin
修改glance-api配置文件,结合keystone和mysql
auth_uri = http://192.168.1.31:5000
auth_url = http://192.168.1.31:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
password = glance
[paste_deploy]
flavor=keystone
notification_driver = noop 镜像服务不需要使用消息队列
default_store=file 镜像存放成文件
filesystem_store_datadir=/var/lib/glance/images/ 镜像存放位置
verbose=True 打开debug
修改glance-registry配置文件,结合keystone和mysql
[[email protected] ~]# vi/etc/glance/glance-registry.conf
verbose=True
[paste_deploy]
flavor=keystone
notification_driver =noop
[keystone_authtoken]
auth_uri = http://192.168.1.31:5000
auth_url = http://192.168.1.31:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = glance
password = glance
检查glance修改过的配置
[[email protected] ~]# grep -n ‘^[a-z]‘ /etc/glance/glance-api.conf
363:verbose=True
491:notification_driver = noop
538:connection=mysql://glance:[email protected]/glance
642:default_store=file
701:filesystem_store_datadir=/var/lib/glance/images/
974:auth_uri = http://192.168.1.31:5000
975:auth_url = http://192.168.1.31:35357
976:auth_plugin = password
977:project_domain_id = default
978:user_domain_id = default
979:project_name = service
980:sername = glance
981:password = glance
1484:flavor=keystone
[[email protected] ~]# grep -n ‘^[a-z]‘/etc/glance/glance-registry.conf
188:verbose=True
316:notification_driver = noop
363:connection=mysql://glance:[email protected]/glance
763:auth_uri = http://192.168.1.31:5000
764:auth_url = http://192.168.1.31:35357
765:auth_plugin = password
766:project_domain_id = default
767:user_domain_id = default
768:project_name = service
769:username = glance
770:password = glance
1256:flavor=keystone
对glance设置开机启动并启动glance服务
[[email protected] ~]# systemctl enableopenstack-glance-api
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-glance-api.service to/usr/lib/systemd/system/openstack-glance-api.service.
[[email protected] ~]# systemctl enableopenstack-glance-registry
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-glance-registry.serviceto /usr/lib/systemd/system/openstack-glance-registry.service.
[[email protected] ~]# systemctl start openstack-glance-api
[[email protected] ~]# systemctl startopenstack-glance-registry
查看galnce占用端口情况,其中9191是registry占用端口,9292是api占用端口
[[email protected] ~]# netstat -lntup|egrep "9191|9292"
tcp 0 0 0.0.0.0:9292 0.0.0.0:* LISTEN 6409/python2
tcp 0 0 0.0.0.0:9191 0.0.0.0:* LISTEN 6427/python2
使glance服务在keystone上注册,才可以允许其他服务调用glance
[[email protected] ~]# sourceadmin-openrc.sh
[[email protected] ~]# openstack servicecreate --name glance --description "OpenStack Image service" image
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Imageservice |
| enabled | True |
| id | 8848e55c9d0446e1af806aaa7d348cc2 |
| name | glance |
| type | image |
+-------------+----------------------------------+
[[email protected] ~]# openstack endpointcreate --region RegionOne image public http://192.168.1.31:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id |a640114ecec84b62b129a50dd3764c53 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8848e55c9d0446e1af806aaa7d348cc2 |
| service_name | glance |
| service_type | image |
| url | http://192.168.1.31:9292 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpointcreate --region RegionOne image internal http://192.168.1.31:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 5ad278127aac453d8336579a2853865e |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8848e55c9d0446e1af806aaa7d348cc2 |
| service_name | glance |
| service_type | image |
| url | http://192.168.1.31:9292 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpointcreate --region RegionOne image admin http://192.168.1.31:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 30539cc243f3409ea0776a3739436f40 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8848e55c9d0446e1af806aaa7d348cc2 |
| service_name | glance |
| service_type | image |
| url | http://192.168.1.31:9292 |
+--------------+----------------------------------+
在admin和demo中加入glance的环境变量,告诉其他服务glance使用的环境变量,一定要在admin-openrc.sh的路径下执行
[[email protected] ~]# echo "exportOS_IMAGE_API_VERSION=2" | tee -a admin-openrc.sh demo-openrc.sh
export OS_IMAGE_API_VERSION=2
[[email protected] ~]# tail -1admin-openrc.sh
export OS_IMAGE_API_VERSION=2
[[email protected] ~]# tail -1demo-openrc.sh
export OS_IMAGE_API_VERSION=2
如果出现以下情况,表示glance配置成功,由于没有镜像,所以看不到
[[email protected] ~]# glance image-list
+----+------+
| ID | Name |
+----+------+
+----+------+
下载一个镜像
[[email protected] ~]# wgethttp://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
--2017-11-13 15:02:18-- http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
Resolving download.cirros-cloud.net(download.cirros-cloud.net)... 64.90.42.85, 2607:f298:6:a036::bd6:a72a
Connecting to download.cirros-cloud.net(download.cirros-cloud.net)|64.90.42.85|:80... connected.
HTTP request sent, awaiting response... 200OK
Length: 13287936 (13M) [text/plain]
Saving to: 鈉irros-0.3.4-x86_64-disk.img?
100%[======================================>]13,287,936 111KB/s in 1m 45s
2017-11-13 15:04:03 (124 KB/s) - 鈉irros-0.3.4-x86_64-disk.img?saved[13287936/13287936]
上传镜像到glance,要在上一步所下载的镜像当前目录执行
[[email protected] ~]# glance image-create--name "cirros" --filecirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility public --progress
[=============================>] 100%
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum |ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at |2017-11-13T07:05:06Z |
| disk_format | qcow2 |
| id |1e62bd78-2c63-4525-8ee6-ce8481ac7075 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner |78b63f28f4924b6aa9f28ede88e5622f |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2017-11-13T07:05:06Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
查看上传镜像
[[email protected] ~]# glance image-create--name "cirros" --filecirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility public --progress
[=============================>] 100%
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum |ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2017-11-13T07:05:06Z |
| disk_format | qcow2 |
| id |1e62bd78-2c63-4525-8ee6-ce8481ac7075 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner |78b63f28f4924b6aa9f28ede88e5622f |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2017-11-13T07:05:06Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
[[email protected] ~]# glanceimage-list
+--------------------------------------+--------+
| ID | Name |
+--------------------------------------+--------+
| 1e62bd78-2c63-4525-8ee6-ce8481ac7075 |cirros |
+--------------------------------------+--------+
[[email protected] ~]# cd/var/lib/glance/images/
[[email protected] images]# ls
1e62bd78-2c63-4525-8ee6-ce8481ac7075(和上述ID一致)
Nova控制节点的部署
Nova
yum install openstack-nova-api openstack-nova-certopenstack-nova-conductor openstack-nova-console openstack-nova-novncproxyopenstack-nova-scheduler python-novaclient -y
创建nova用户,并加入到service项目中,赋予admin权限
[[email protected] ~]# sourceadmin-openrc.sh
[[email protected] ~]# openstack user create--domain default --password=nova nova
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 90073a1bdde8473b9c6e9b5ab933a726 |
| name | nova |
+-----------+----------------------------------+
[[email protected] ~]# openstack role add--project service --user nova admin
[[email protected] ~]# vi /etc/nova/nova.conf
[database]
connection=mysql://nova:[email protected]/nova
同步数据库
[[email protected] ~]# su -s /bin/sh -c "nova-manage db sync" nova (可以忽略以下错误)
/usr/lib64/python2.7/site-packages/sqlalchemy/engine/default.py:450:Warning: Duplicate index`block_device_mapping_instance_uuid_virtual_name_device_name_idx`. This is deprecatedand will be disallowed in a future release.
cursor.execute(statement, parameters)
/usr/lib64/python2.7/site-packages/sqlalchemy/engine/default.py:450:Warning: Duplicate index `uniq_instances0uuid`. This is deprecated and will bedisallowed in a future release.
cursor.execute(statement, parameters)
检查导入nova库的表情况
[[email protected] ~]# mysql -h 192.168.1.31-u nova -pnova
MariaDB [(none)]> use nova;
Database changed
MariaDB [nova]> show tables;
+--------------------------------------------+
| Tables_in_nova |
+--------------------------------------------+
| agent_builds |
| aggregate_hosts |
| aggregate_metadata |
| aggregates |
| block_device_mapping |
| bw_usage_cache |
| cells |
| certificates |
| compute_nodes |
| console_pools |
| consoles |
| dns_domains |
| fixed_ips |
| floating_ips |
| instance_actions |
| instance_actions_events |
| instance_extra |
| instance_faults |
| instance_group_member |
| instance_group_policy |
| instance_groups |
| instance_id_mappings |
| instance_info_caches |
| instance_metadata |
| instance_system_metadata |
| instance_type_extra_specs |
| instance_type_projects |
| instance_types |
| instances |
| key_pairs |
| migrate_version |
| migrations |
| networks |
| pci_devices |
| project_user_quotas |
| provider_fw_rules |
| quota_classes |
| quota_usages |
| quotas |
| reservations |
| s3_images |
| security_group_default_rules |
| security_group_instance_association |
| security_group_rules |
| security_groups |
| services |
| shadow_agent_builds |
| shadow_aggregate_hosts |
| shadow_aggregate_metadata |
| shadow_aggregates |
| shadow_block_device_mapping |
| shadow_bw_usage_cache |
| shadow_cells |
| shadow_certificates |
| shadow_compute_nodes |
| shadow_console_pools |
| shadow_consoles |
| shadow_dns_domains |
| shadow_fixed_ips |
| shadow_floating_ips |
| shadow_instance_actions |
| shadow_instance_actions_events |
| shadow_instance_extra |
| shadow_instance_faults |
| shadow_instance_group_member |
| shadow_instance_group_policy |
| shadow_instance_groups |
| shadow_instance_id_mappings |
| shadow_instance_info_caches |
| shadow_instance_metadata |
| shadow_instance_system_metadata |
| shadow_instance_type_extra_specs |
| shadow_instance_type_projects |
| shadow_instance_types |
| shadow_instances |
| shadow_key_pairs |
| shadow_migrate_version |
| shadow_migrations |
| shadow_networks |
| shadow_pci_devices |
| shadow_project_user_quotas |
| shadow_provider_fw_rules |
| shadow_quota_classes |
| shadow_quota_usages |
| shadow_quotas |
| shadow_reservations |
| shadow_s3_images |
| shadow_security_group_default_rules |
|shadow_security_group_instance_association |
| shadow_security_group_rules |
| shadow_security_groups |
| shadow_services |
| shadow_snapshot_id_mappings |
| shadow_snapshots |
| shadow_task_log |
| shadow_virtual_interfaces |
| shadow_volume_id_mappings |
| shadow_volume_usage_cache |
| snapshot_id_mappings |
| snapshots |
| tags |
| task_log |
| virtual_interfaces |
| volume_id_mappings |
| volume_usage_cache |
+--------------------------------------------+
105 rows in set (0.02 sec)
[[email protected] ~]# vi/etc/nova/nova.conf
rpc_backend=rabbit 使用rabbitmq消息队列
network_api_class=nova.network.neutronv2.api.API 网络使用neutron的,中间的.代表目录结构
security_group_api=neutron 设置安全组sg为neutron
linuxnet_interface_driver=nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver (以前的类的名称LinuxBridgeInterfaceDriver,现在叫做NeutronLinuxBridgeInterfaceDriver)
firewall_driver =nova.virt.firewall.NoopFirewallDriver (关闭防火墙)
verbose=True
vncserver_listen= $my_ip vnc监听地址
vncserver_proxyclient_address= $my_ip 代理客户端地址
lock_path=/var/lib/nova/tmp 锁路径
enabled_apis=osapi_compute,metadata 禁用ec2的API
my_ip=192.168.1.31 变量,方便调用
debug=true
[oslo_messaging_rabbit]
rabbit_host=192.168.1.31 指定rabbit主机
rabbit_port=5672 rabbitmq端口
rabbit_userid=openstack rabbitmq用户
rabbit_password=openstack rabbitmq密码
[keystone_authtoken]
auth_uri = http://192.168.1.31:5000
auth_url = http://192.168.1.31:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service 使用service项目
username = nova
password = nova
[DEFAULT]
auth_strategy=keystone (使用keystone验证,这个是default模块下的)
[glance]
host=$my_ip glance的地址
修改nova的配置文件,配置结果如下
[[email protected] ~]# grep -n"^[a-Z]" /etc/nova/nova.conf
198:my_ip=192.168.1.31
344:enabled_apis=osapi_compute,metadata
506:auth_strategy=keystone
838:network_api_class=nova.network.neutronv2.api.API
930:linuxnet_interface_driver=nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver
1064:security_group_api=neutron
1241:firewall_driver =nova.virt.firewall.NoopFirewallDriver
1278:debug=true
1284:verbose=true
1423:rpc_backend=rabbit
1743:connection=mysql://nova:[email protected]/nova
1944:host=$my_ip
2122:auth_uri = http://192.168.1.31:5000
2123:auth_url = http://192.168.1.31:35357
2124:auth_plugin = password
2125:project_domain_id = default
2126:user_domain_id = default
2127:project_name = service
2128:username = nova
2129:password = nova
2753:lock_path=/var/lib/nova/tmp
2934:rabbit_host=192.168.1.31
2938:rabbit_port=5672
2950:rabbit_userid=openstack
2954:rabbit_password=openstack
3321:vncserver_listen=$my_ip
3326:vncserver_proxyclient_address=$my_ip
启动nova的全部服务
[[email protected] ~]# systemctl enableopenstack-nova-api.service openstack-nova-cert.service openstack-nova-consoleauth.service openstack-nova-scheduler.serviceopenstack-nova-conductor.service openstack-nova-novncproxy.service
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-nova-api.service to/usr/lib/systemd/system/openstack-nova-api.service.
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-nova-cert.service to/usr/lib/systemd/system/openstack-nova-cert.service.
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-nova-consoleauth.serviceto /usr/lib/systemd/system/openstack-nova-consoleauth.service.
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-nova-scheduler.service to/usr/lib/systemd/system/openstack-nova-scheduler.service.
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-nova-conductor.service to/usr/lib/systemd/system/openstack-nova-conductor.service.
Created symlink from/etc/systemd/system/multi-user.target.wants/openstack-nova-novncproxy.serviceto /usr/lib/systemd/system/openstack-nova-novncproxy.service.
[[email protected] ~]# systemctl startopenstack-nova-api.service openstack-nova-cert.service openstack-nova-consoleauth.service openstack-nova-scheduler.serviceopenstack-nova-conductor.service openstack-nova-novncproxy.service
在keystone上注册nova,并检查控制节点的nova服务是否配置成功
[[email protected] ~]# sourceadmin-openrc.sh
[[email protected] ~]# openstack servicecreate --name nova --description "OpenStack Compute" compute
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Compute |
| enabled | True |
| id | 5debdd8cb34e49d6ace860c7f337390d |
| name | nova |
| type | compute |
+-------------+----------------------------------+
[[email protected] ~]# openstack endpointcreate --region RegionOne compute publichttp://192.168.1.31:8774/v2/%\(tenant_id\)s
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| enabled | True |
| id |3ea5e849657741fb867bafbcbdc57328 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5debdd8cb34e49d6ace860c7f337390d |
| service_name | nova |
| service_type | compute |
| url |http://192.168.1.31:8774/v2/%(tenant_id)s |
+--------------+-------------------------------------------+
[[email protected] ~]# openstack endpointcreate --region RegionOne compute internal http://192.168.1.31:8774/v2/%\(tenant_id\)s
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| enabled | True |
| id |7f7bbdaa6e3540babb6f94b11ab53ef6 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5debdd8cb34e49d6ace860c7f337390d |
| service_name | nova |
| service_type | compute |
| url |http://192.168.1.31:8774/v2/%(tenant_id)s |
+--------------+-------------------------------------------+
[[email protected] ~]# openstack endpointcreate --region RegionOne compute adminhttp://192.168.1.31:8774/v2/%\(tenant_id\)s
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| enabled | True |
| id |0f6a1d56e67e40a2a6638dc7c6cf72ed |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5debdd8cb34e49d6ace860c7f337390d |
| service_name | nova |
| service_type | compute |
| url |http://192.168.1.31:8774/v2/%(tenant_id)s |
+--------------+-------------------------------------------+
[[email protected] ~]# openstack host list
+-------------+-------------+----------+
| Host Name | Service | Zone |
+-------------+-------------+----------+
| linux-node1 | conductor | internal |
| linux-node1 | consoleauth | internal |
| linux-node1 | cert | internal |
| linux-node1 | scheduler | internal |
+-------------+-------------+----------+
以上是关于私有云搭建 OpenStack(centos7.3, centos-release-openstack-liberty) (中篇)的主要内容,如果未能解决你的问题,请参考以下文章
Centos 7 搭建OpenStack 私有云——基础环境配置
OpenStack搭建企业私有云 三:计算服务(持续更新...)