一、openstack 双节点搭建
一.硬件配置
controller节点:8G 1核 100G
compute节点 :8G 1核 100G
二.部署步骤
控制节点:SQL、NoSQL、消息队列、NTP服务、身份认证、镜像服务、放置服务、计算管理
网络管理、网络ML2插件、Linux网络工具、open vSwitch代理、网络DHCP代理、网络元数据代理
块存储管理
计算节点:KVM管理程序、计算、Linux网络工具、openvSwitch代理
块存储管理
注:openstack搭建中,本人所有密码均为mysql
三.openstack环境搭建
(1)分别在两个必须节点主机上禁用防火墙和selinux
systemctl stop firewalld && systemctl disable firewalld
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
(2)安装Chrony,只在controller节点安装
yum install chrony
(3)安装配置控制节点,只在控制节点安装 controller
sed -i "s@#allow.*@allow 网卡2ip/24@ " /etc/chrony.conf
sed -i "s@#server.*@server ntp1.aliyun.com linurst@" /etc/chrony.conf
systemctl start chronyd && systemctl enable chronyd
(4)给其他节点安装配置,只在计算节点(compute)的/etc/chrony.conf中将NTP服务设置为控制节点的NTP服务器
ssh compute 'sed -i "s@server.*@server controller iburst@" /etc/chrony.conf '
ssh compute 'systemctl start chronyd && systemctl enable chronyd'
(5)重启NTP服务器,两个服务器(节点)都要重启
systemctl restart chronyd.service
(6)查看同步情况
chronyc sources
(7)
chronyc clients
(8)配置节点网络,第一个为可访问外网,第二个为内网仅主机模式,每个主机都要
1.停用NetworkManager服务
systemctl stop NetworkManager
2.设置网卡ip地址(如果访问出现问题,就用DHCP)
vi /etc/sysconfig/network-script/ifcfg-ens33
vi /etc/sysconfig/network-script/ifcfg-ens36 #根据实际网卡来
(9)设置主机名
hostnamectl set-hostname controller #控制节点
hostnamectl set-hostname compute #计算节点
(10)配置主机名信息到/etc/hosts和同步hosts文件。
echo -e "控制节点网卡2ip controller \n 计算节点网卡2ip compute" >> /etc/hosts
scp /etc/hosts compute:/etc/hosts
(11)控制节点登陆其他节点主机,设置ssh免密,执行第一条命令过后按enter键,默认生成密钥。只在控制节点上运行。
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub compute
ssh compute
(12)测试控制节点到计算节点的连通性。
ssh compute
成功后exit退出
四.安装openstack软件包
(1)启用Openstack软件库,在两台主机上进行
yum install centos-release-openstack-train
(2)升级软件包
yum upgrade
(3)安装openstack客户端软件
yum install python-openstackclient
(4)安装openstack-selinux软件包以自启动管理Openstack服务的安全策略
yum -y install openstack-selinux
(5)验证安装
openstack --version
五.在控制节点上安装SQL数据库
(1) 安装相关的软件包
yum -y install mariadb mariadb-server python2-PyMySQL
yum install crudini
(2)编辑/etc/my.cnf.d/openstack.cnf配置文件
其中第一行的地址为网卡一的地址
crudini --set /etc/my.cnf.d/openstack.cnf mysqld bind-address 192.168.200.100
crudini --set /etc/my.cnf.d/openstack.cnf mysqld default-storage-engine innodb
crudini --set /etc/my.cnf.d/openstack.cnf mysqld innodb_file_per_table on
crudini --set /etc/my.cnf.d/openstack.cnf mysqld max_connections 4096
crudini --set /etc/my.cnf.d/openstack.cnf mysqld collation-server utf8_general_ci
crudini --set /etc/my.cnf.d/openstack.cnf mysqld character-set-server utf8
(3)将mariaDB设置为开机自启,并启动该数据库服务。
systemctl enable mariadb.service && systemctl start mariadb.service
若服务无法启动可以检查MariaDB是否完全安装,服务是否正常
rpm -qa | grep mariadb
如果MariaDB未安装,请使用包管理器安装它。
sudo yum install mariadb-server
重新加载 systemd 守护进程
systemctl daemon-reload
启用并启动并验证 MariaDB 服务
systemctl enable mariadb
systemctl start mariadb
systemctl status mariadb
(4)启动安全配置向导来提高数据库的安全性。启动服务并且初始化,初始化时第一个root密码为空,直接回车。并设置新的root密码为mysql,设置允许root远程登录,除了此交互按n,其余都按y
mysql_secure_installation
[root@controller ~]# mysql_secure_installation
error: Found option without preceding group in config file: /etc/my.cnf.d/openstack.cnf at line: 1
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@controller ~]#
六.在控制节点上安装消息队列Rabbit MQ服务
(1)安装相应软件包
yum -y install rabbitmq-server
(2)将Rabbit MQ服务设置为开机自启动,并启动该消息队列服务
systemctl enable rabbitmq-server && systemctl start rabbitmq-server
(3)添加一个名为openstack的用户账户
rabbitmqctl add_user openstack mysql
(4)为openstack用户配置写入和读取访问权限
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
(5)查看RabbitMQ状态,并查看用户及权限
rabbitmqctl status
(6)查看RabbitMQ监听端口
yum -y install net-tools
[root@controller ~]# systemctl enable rabbitmq-server && systemctl start rabbitmq-server
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
[root@controller ~]# rabbitmqctl add_user openstack 123456
Creating user "openstack"
[root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/"
[root@controller ~]# rabbitmqctl status
Status of node rabbit@controller
[{pid,13465},
{running_applications,
[{rabbit,"RabbitMQ","3.6.16"},
{mnesia,"MNESIA CXC 138 12","4.14.3"},
{ranch,"Socket acceptor pool for TCP protocols.","1.3.2"},
......
[root@controller ~]# rabbitmqctl list_user_permissions openstack
Listing permissions for user "openstack"
/ .* .* .*
[root@controller ~]#
[root@controller ~]# yum -y install net-tools
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
......
正在安装 : net-tools-2.0-0.25.20131004git.el7.x86_64 1/1
验证中 : net-tools-2.0-0.25.20131004git.el7.x86_64 1/1
已安装:
net-tools.x86_64 0:2.0-0.25.20131004git.el7
完毕!
[root@controller ~]#
七.安装Memcached服务
在控制节点(controller)上安装Memcached服务,Openstack服务的身份管理机制使用Memcached服务来缓存令牌
(1)安装相应的软件包
yum -y install memcached python-memcached
(2)编辑/etc/sysconfig/memcached配置文件
vi /etc/sysconfig/memcached
#修改配置文件
OPTI/ONS="-l 127.0.0.1,::1,controller网卡2ip"
改为
(3)将Memcached服务设置为开机自启动,并启动该服务
systemctl enable memcached && systemctl start memcached
(4)查看Memcached监听端口
netstat -tunlp | grep memcached
八.安装Etcd服务
在控制节点上安装Etcd服务,以进行分布式键锁定、存储配置、跟踪服务等活动。
(1)安装软件包
yum -y install etcd
(2)编辑/etc/etcd/etcd.conf配置文件,将ETCD_INITAL_CLUSTER等选项的值设置为控制节点的管理IP地址。
代码如下。里面的ip地址为localhost。
vi /etc/etcd/etcd.conf
crudini --set /etc/etcd/etcd.conf ETCD_DATA_DIR /var/lib/etcd/default.etcd
crudini --set /etc/etcd/etcd.conf ETCD_LISTEN_PEER_URLS http://localhost:2380
crudini --set /etc/etcd/etcd.conf ETCD_LISTEN_CLIENT_URLS http://localhost:2379
crudini --set /etc/etcd/etcd.conf ETCD_NAME controller
crudini --set /etc/etcd/etcd.conf ETCD_INITIAL_ADVERTISE_PEER_URLS http://192.168.200.100:2380
crudini --set /etc/etcd/etcd.conf ETCD_ADVERTISE_CLIENT_URLS http://localhost:2379
crudini --set /etc/etcd/etcd.conf ETCD_INITIAL_CLUSTER controller=http://localhost:2380
crudini --set /etc/etcd/etcd.conf ETCD_INITIAL_CLUSTER_TOKEN etcd-cluster-01
crudini --set /etc/etcd/etcd.conf ETCD_INITIAL_CLUSTER_STATE new
(3)将Etcd服务设置为开机自启动,并启动该服务
systemctl enable etcd && systemctl start etcd
九.安装和部署Keystone身份服务
1.创建KeyStone数据库
(1)去数据库创建keystone数据库,我的数据库密码是mysql
mysql -u root -p
create database keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'mysql';
flush privileges;
生成一个随机初始值作为管理员令牌
[root@controller ~]# openssl rand -hex 10
25b545d56fd197ee5c00
[root@controller ~]#
2.安装、配置keystone、数据库、Apache
(1)安装keystone、httpd、mod_wsgi
yum -y install openstack-keystone httpd mod_wsgi
cp -a /etc/keystone/keystone.conf{,.bak}
#通过pymysql模块访问mysql,指定用户名密码、数据库的域名、数据库名
grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
#指定token的提供者;提供者就是keystone自己本身
crudini --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:mysql@controller/keystone
crudini --set /etc/keystone/keystone.conf token provider fernet
#Fernet:一种安全的消息传递格式
2.编辑/etc/keystone/keystone.conf配置文件
[database]
connection = mysql+pymysql://keystone:mysql@controller/keystone
[token]
token=provider = fernet
(2)初始化认证服务数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化fernet 密钥存储库(以下命令会生成两个密钥,生成的密钥放于/etc/keystone/目录下,用于加密数据)
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
(3)配置bootstrap身份认证服务器,设置管理员密码为mysql
keystone-manage bootstrap --bootstrap-password mysql \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
3.配置Apache HTTP服务器
(1)编辑/etc/httpd/conf/httpd.conf配置文件
vi /etc/httpd/conf/httpd.conf
ServerName controller
#或
echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
(2)创建到/usr/share/keystone/wsgi-keystone.conf 文件的连接文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d
(3)启动Apache HTTP服务并将其配置为开机自启动
systemctl enable httpd.service
systemctl start httpd.service
4.配置管理员账户的环境变量
#这些环境变量用于创建角色和项目使用,但是创建角色和项目需要有认证信息,所以通过环境变量声明用户名和密码等认证信息,欺骗openstack已经登录且通过认证,这样就可以创建项目和角色;也就是把admin用户的验证信息通过声明环境变量的方式传递给openstack进行验证,实现针对openstack的非交互式操作
cat >> ~/.bashrc << EOF
export OS_USERNAME=admin
export OS_PASSWORD=mysql
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
EOF
source ~/.bashrc
因为以上设置了环境变量,可以进行openstack命令的一些操作,后续文章会出现相关操作。
openstack user list #查看用户列表
5.创建域、项目、用户和角色
创建一个项目(project),创建在指定的域(domain)中,指定描述信息,project名称为service(可以使用openstack domain list查询)
openstack domain create --description "Default Domain" default
openstack project create --domain default --description "Service Project" service
创建demo项目
openstack project create --domain default --description "Demo Project" demo
创建demo用户
openstack user create --domain default --password-prompt demo
创建后会让你输入新密码,我这里是mysql
创建角色(可使用 openstack role list查看)
openstack role create demo
将member角色添加到demo项目和demo用户
openstack role add --project demo --user demo member
查看openstack角色列表
openstack role list
admin为管理员 member为 租户 user:用户
#查看是否可以不指定密码就可以获取到token信息(验证认证服务)
总结:Keystone 组件是作为OpenStack 集群中统一认证、授权的模块,其核心功能就是针对于User(用户)、Tenant(租户)、Role(角色)、Token(令牌/凭证)的控制(手工编译部署即围绕此功能展开的)
User:使用 openstack 的用户。
Tenant:租户,可以理解为一个人、项目或者组织拥有的资源的合集。在一个租户中可以拥有很多个用户,这些用户可以根据权限的划分使用租户中的资源。
Role:角色,用于分配操作的权限。角色可以被指定给用户,使得该用户获得角色对应的操作权限。
Token:指的是一串比特值或者字符串,用来作为访问资源的记号。Token 中含有可访问资源的范围和有效时间,token 是用户的一种凭证,需要使用正确的用户名和密码向 Keystone 服务申请才能得到 token。
使用手动部署的模式搭建OpenStack的思路:
1、分模块部署
2、部署keystone模块的基础环境(下载依赖包、组件包、第三方工具/插件)
3、创建、开启此模块的功能(以keystone为例,创建并初始化认证数据库、修改配置文件、初始化密钥-fernet格式、配置身份认证服务)
4、验证
5.创建Openstack客户端环境脚本
1)创建脚本admin-openrc文件,作为admin云管理的客户端环境脚本
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=mysql
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
使用脚本
.admin-openrc
openstack token issue
评论区