3.1 CentOS7的时间同步服务器chrony
下载chrony
1[root@linux-node1 ~]# yum install -ychrony
修改其配置文件
1[root@linux-node1 ~]# vim/etc/chrony.conf
2allow 192.168/16
chrony开机自启动,并且启动
1[root@linux-node1 ~]#systemctl enablechronyd.service
2[root@linux-node1 ~]#systemctlstartchronyd.service
设置Centos7的时区
1[root@linux-node1 ~]# timedatectlset-timezoneb Asia/Shanghai
查看时区和时间
1[root@linux-node1 ~]# timedatectl status
2Local time: Tue 2015-12-15 12:19:55 CST
3Universal time: Tue 2015-12-15 04:19:55 UTC
4RTC time: Sun 2015-12-13 15:35:33
5Timezone: Asia/Shanghai (CST, +0800)
6NTP enabled: yes
7NTP synchronized: no
8RTC in local TZ: no
9DST active: n/a
10[root@linux-node1 ~]# date
11Tue Dec 15 12:19:57 CST 2015
3.2入手mysql
Openstack的所有组件除了Horizon,都要用到数据库,本文使用的是mysql,在CentOS7中,默认叫做MariaDB。
拷贝配置文件
1[root[@linux-node1 ~]#cp/usr/share/mysql/my-medium.cnf /etc/my.cnf
修改mysql配置并启动
1[root@linux-node1 ~]# vim /etc/my.cnf(在mysqld模块下添加如下内容)
2[mysqld]
3default-storage-engine = innodb默认的存储引擎
4innodb_file_per_table使用独享的表空间
5collation-server = utf8_general_ci设置校对标准
6init-connect = 'SET NAMES utf8'设置连接的字符集
7character-set-server = utf8设置创建数据库时默认的字符集
开机自启和启动mysql
1[root@linux-node1 ~]# systemctl enablemariadb.service
2ln -s'/usr/lib/systemd/system/mariadb.service''/etc/systemd/system/multi-user.target.wants/mariadb.service'
3[root@linux-node1 ~]# systemctl startmariadb.service
设置mysql的密码
1[root@linux-node1 ~]#mysql_secure_installation
创建所有组件的库并授权
1[root@linux-node1 ~]# mysql -uroot-p123456
执行sql
1CREATE DATABASE keystone;
2GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'localhost' IDENTIFIED BY 'keystone';
3GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'IDENTIFIED BY 'keystone';
4CREATE DATABASE glance;
5GRANT ALL PRIVILEGES ON glance.* TO'glance'@'localhost' IDENTIFIED BY 'glance';
6GRANT ALL PRIVILEGES ON glance.* TO'glance'@'%' IDENTIFIED BY 'glance';
7CREATE DATABASE nova;
8GRANT ALL PRIVILEGES ON nova.* TO'nova'@'localhost' IDENTIFIED BY 'nova';
9GRANT ALL PRIVILEGES ON nova.* TO'nova'@'%' IDENTIFIED BY 'nova';
10CREATE DATABASE neutron;
11GRANT ALL PRIVILEGES ON neutron.* TO'neutron'@'localhost' IDENTIFIED BY 'neutron';
12GRANT ALL PRIVILEGES ON neutron.* TO'neutron'@'%' IDENTIFIED BY 'neutron';
13CREATE DATABASE cinder;
14GRANT ALL PRIVILEGES ON cinder.* TO'cinder'@'localhost' IDENTIFIED BY 'cinder';
15GRANT ALL PRIVILEGES ON cinder.* TO'cinder'@'%' IDENTIFIED BY 'cinder';
3.3 Rabbit消息队列
SOA架构:面向服务的体系结构是一个组件模型,它将应用程序的不同功能单元(称为服务)通过这些服务之间定义良好的接口和契约联系起来。接口是采用中立的方式进行定义的,它应该独立于实现服务的硬件平台、操作系统和编程语言。这使得构建在各种各样的系统中的服务可以使用一种统一和通用的方式进行交互。
在这里Openstack采用了SOA架构方案,结合了SOA架构的松耦合特点,单独组件单独部署,每个组件之间可能互为消费者和提供者,通过消息队列(openstack支持Rabbitmq,Zeromq,Qpid)进行通信,保证了当某个服务当掉的情况,不至于其他都当掉。
1启动Rabbitmq
2[root@linux-node1 ~]# systemctl enablerabbitmq-server.service
3ln -s'/usr/lib/systemd/system/rabbitmq-server.service''/etc/systemd/system/multi-user.target.wants/rabbitmq-server.service'
4[root@linux-node1 ~]# systemctl startrabbitmq-server.service
新建Rabbitmq用户并授权
1[root@linux-node1 ~]# rabbitmqctladd_user openstack openstack
2[root@linux-node1 ~]# rabbitmqctlset_permissions openstack ".*" ".*" ".*"
启用Rabbitmq的web管理插件
1[root@linux-node1 ~]rabbitmq-pluginsenable rabbitmq_management
重启Rabbitmq
1[root@linux-node1 ~]# systemctlrestart rabbitmq-server.service
查看Rabbit的端口,其中5672是服务端口,15672是web管理端口,25672是做集群的端口
1[root@linux-node1 ~]# netstat -lntup|grep 5672
2tcp00 0.0.0.0:256720.0.0.0:*LISTEN52448/beam
3tcp00 0.0.0.0:156720.0.0.0:*LISTEN52448/beam
4tcp600 :::5672:::*LISTEN52448/beam
在web界面添加openstack用户,设置权限,首次登陆必须使用账号和密码必须都是guest
src="http://cdn.oldboyedu.com/wp-content/uploads/2016/02/wpid-631325ba70ea05d245906c576f3ef421_H_7BY11JG_5DL_5DE_WM7YE_5BH_P_60Q.png"
alt="" title="">
role设置为administrator,并设置openstack的密码
alt="" title="">
若想要监控Rabbit,即可使用下图中的API
src="http://cdn.oldboyedu.com/wp-content/uploads/2016/02/wpid-631325ba70ea05d245906c576f3ef421_ZVFZ9BJSNT_5DZBN_24_7D67_7BQJWV.png"
alt="" title="">
3.4 Keystone组件
修改keystone的配置文件
1[root@linux-node1 opt]# vim/etc/keystone/keystone.conf
2admin_token = 863d35676a5632e846d9
3用作无用户时,创建用户来链接,此内容使用openssl随机产生
4connection =mysql://keystone:[email protected]/keystone
5用作链接数据库,三个keysthone分别为keystone组件,keystone用户名,mysql中的keysthone库名
切换到keystone用户,导入keystoe数据库
1[root@linux-node1 opt]# su -s /bin/sh-c "keystone-manage db_sync" keystone
2[root@linux-node1 keystone]# cd /var/log/keystone/
3[root@linux-node1 keystone]# ll
4total 8
5-rw-r--r-- 1 keystone keystone 7064
Dec 15 14:43 keystone.log(通过切换到keystone用户下导入数据库,当启动的时候回把日志写入到该日志中,如果使用root执行倒库操作,则无法通过keysthone启动keystone程序)
631:verbose = true开启debug模式
71229:servers = 192.168.57.11:11211更改servers标签,填写memcache地址
81634:driver = sql开启默认sql驱动
91827:provider = uuid开启并使用唯一识别码
101832:driver = memcache(使用用户密码生成token时,存储到memcache中,高性能提供服务)
查看更改结果
1[root@linux-node1 keystone]#grep -n"^[a-Z]" /etc/keystone/keystone.conf
212:admin_token = 863d35676a5632e846d9
331:verbose = true
4419:connection =mysql://keystone:[email protected]/keystone
51229:servers = 192.168.57.11:11211
61634:driver = sql
71827:provider = uuid
81832:driver = memcache
检查数据库导入结果
1MariaDB [keystone]> show tables;
2+------------------------+
3| Tables_in_keystone|
4+------------------------+
5| access_token|
6| assignment|
7| config_register|
8| consumer|
9| credential|
10| domain|
11| endpoint|
12| endpoint_group|
13| federation_protocol|
14| group|
15| id_mapping|
16| identity_provider|
17| idp_remote_ids|
18| mapping|
19| migrate_version|
20| policy|
21| policy_association|
22| project|
23| project_endpoint|
24| project_endpoint_group |
25| region|
26| request_token|
27| revocation_event|
28| role|
29| sensitive_config|
30| service|
31| service_provider|
32| token|
33| trust|
34| trust_role|
35| user|
36| user_group_membership|
37| whitelisted_config|
38+------------------------+
3933 rows in set (0.00 sec)
添加一个apache的wsgi-keystone配置文件,其中5000端口是提供该服务的,35357是为admin提供管理用的
1[root@linux-node1 keystone]# cat/etc/httpd/conf.d/wsgi-keystone.conf
2Listen 5000
3Listen 35357
4
5
6WSGIDaemonProcess keystone-publicprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
7WSGIProcessGroup keystone-public
8WSGIScriptAlias //usr/bin/keystone-wsgi-public
9WSGIApplicationGroup %{GLOBAL}
10WSGIPassAuthorization On
11= 2.4>
12ErrorLogFormat "%{cu}t %M"
13
14ErrorLog /var/log/httpd/keystone-error.log
15CustomLog/var/log/httpd/keystone-access.log combined
16
17
18= 2.4>
19Require all granted
20
21
22Order allow,deny
23Allow from all
24
25
26
27
28
29WSGIDaemonProcess keystone-adminprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
30WSGIProcessGroup keystone-admin
31WSGIScriptAlias //usr/bin/keystone-wsgi-admin
32WSGIApplicationGroup %{GLOBAL}
33WSGIPassAuthorization On
34= 2.4>
35ErrorLogFormat "%{cu}t %M"
36
37ErrorLog /var/log/httpd/keystone-error.log
38CustomLog/var/log/httpd/keystone-access.log combined
39
40
41= 2.4>
42Require all granted
43
44
45Order allow,deny
46Allow from all
47
48
49
配置apache的servername,如果不配置servername,会影响keystone服务
1[root@linux-node1 httpd]# vimconf/httpd.conf
2ServerName 192.168.56.11:80
启动memcached,httpd,keystone
1[root@linux-node1 httpd]# systemctlenable memcached httpd
2ln -s'/usr/lib/systemd/system/memcached.service''/etc/systemd/system/multi-user.target.wants/memcached.service'
3ln -s'/usr/lib/systemd/system/httpd.service''/etc/systemd/system/multi-user.target.wants/httpd.service'
4[root@linux-node1 httpd]# systemctl startmemcached httpd
查看httpd占用端口情况
1[root@linux-node1 httpd]# netstat-lntup|grep httpd
2tcp600 :::5000:::*LISTEN70482/httpd
3tcp600 :::80:::*LISTEN70482/httpd
4tcp600 :::35357:::*LISTEN70482/httpd
创建用户并连接keystone,在这里可以使用两种方式,通过keystone–help后家参数的方式,或者使用环境变量env的方式,下面就将使用环境变量的方式,分别设置了token,API及控制版本(SOA种很适用)
1[root@linux-node1 ~]# exportOS_TOKEN=863d35676a5632e846d9
2[root@linux-node1 ~]# exportOS_URL=http://192.168.56.11:35357/v3
3[root@linux-node1 ~]# exportOS_IDENTITY_API_VERSION=3
创建admin项目(project)
1[root@linux-node1 httpd]# openstackproject create --domain default--description"Admin Project" admin
2+-------------+----------------------------------+
3| Field| Value|
4+-------------+----------------------------------+
5| description | Admin Project|
6| domain_id| default|
7| enabled| True|
8| id| 45ec9f72892c404897d0f7d6668d7a53 |
9| is_domain| False|
10| name| admin|
11| parent_id| None|
12+-------------+----------------------------------+
创建admin用户(user)并设置密码(生产环境一定设置一个复杂的)
1[root@linux-node1 httpd]# openstackuser create --domain default --password-prompt admin
2User Password:
3Repeat User Password:
4+-----------+----------------------------------+
5| Field| Value|
6+-----------+----------------------------------+
7| domain_id | default|
8| enabled| True|
9| id| bb6d73c0b07246fb8f26025bb72c06a1 |
10| name| admin|
11+-----------+----------------------------------+
创建admin的角色(role)
1[root@linux-node1 httpd]# openstackrole create admin
2+-------+----------------------------------+
3| Field | Value|
4+-------+----------------------------------+
5| id| b0bd00e6164243ceaa794db3250f267e |
6| name| admin|
7+-------+----------------------------------+
把admin用户加到admin项目,赋予admin角色,把角色,项目,用户关联起来
1[root@linux-node1 httpd]# openstackrole add --project admin --user admin admin
创建一个普通用户demo,demo项目,角色为普通用户(uesr),并把它们关联起来
1[root@linux-node1 httpd]# openstackproject create --domain default --description "Demo Project" demo
2+-------------+----------------------------------+
3| Field| Value|
4+-------------+----------------------------------+
5| description | Demo Project|
6| domain_id| default|
7| enabled| True|
8| id| 4a213e53e4814685859679ff1dcb559f |
9| is_domain| False|
10| name| demo|
11| parent_id| None|
12+-------------+----------------------------------+
13[root@linux-node1 httpd]# openstackuser create --domain default --password=demo demo
14+-----------+----------------------------------+
15| Field| Value|
16+-----------+----------------------------------+
17| domain_id | default|
18| enabled| True|
19| id| eb29c091e0ec490cbfa5d11dc2388766 |
20| name| demo|
21+-----------+----------------------------------+
22[root@linux-node1 httpd]# openstackrole create user
23+-------+----------------------------------+
24| Field | Value|
25+-------+----------------------------------+
26| id| 4b36460ef1bd42daaf67feb19a8a55cf |
27| name| user|
28+-------+----------------------------------+
29[root@linux-node1 httpd]# openstackrole add --project demo --user demo user
创建一个service的项目,此服务用来管理nova,neuturn,glance等组件的服务
1[root@linux-node1 httpd]# openstackproject create --domain default --description "Service Project"service
2+-------------+----------------------------------+
3| Field| Value|
4+-------------+----------------------------------+
5| description | Service Project|
6| domain_id| default|
7| enabled| True|
8| id| 0399778f38934986a923c96d8dc92073 |
9| is_domain| False|
10| name| service|
11| parent_id|None|
12+-------------+----------------------------------+
查看创建的用户,角色,项目
1[root@linux-node1 httpd]# openstackuser list
2+----------------------------------+-------+
3| ID| Name|
4+----------------------------------+-------+
5| bb6d73c0b07246fb8f26025bb72c06a1 |admin |
6| eb29c091e0ec490cbfa5d11dc2388766 |demo|
7+----------------------------------+-------+
8[root@linux-node1 httpd]# openstackproject list
9+----------------------------------+---------+
10| ID| Name|
11+----------------------------------+---------+
12| 0399778f38934986a923c96d8dc92073 |service |
13| 45ec9f72892c404897d0f7d6668d7a53 |admin|
14| 4a213e53e4814685859679ff1dcb559f |demo|
15+----------------------------------+---------+
16[root@linux-node1 httpd]# openstackrole list
17+----------------------------------+-------+
18| ID| Name|
19+----------------------------------+-------+
20| 4b36460ef1bd42daaf67feb19a8a55cf |user|
21| b0bd00e6164243ceaa794db3250f267e |admin |
22+----------------------------------+-------+
注册keystone服务,虽然keystone本身是搞注册的,但是自己也需要注册服务
创建keystone认证
1[root@linux-node1 httpd]# openstackservice create --name keystone --description "OpenStack Identity"identity
2+-------------+----------------------------------+
3| Field| Value|
4+-------------+----------------------------------+
5| description | OpenStackIdentity|
6| enabled| True|
7| id| 46228b6dae2246008990040bbde371c3 |
8| name| keystone|
9| type| identity|
10+-------------+----------------------------------+
分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
1[root@linux-node1 httpd]# openstackendpoint create --region RegionOne identity publichttp://192.168.56.11:5000/v2.0
2+--------------+----------------------------------+
3| Field| Value|
4+--------------+----------------------------------+
5| enabled| True|
6| id| 1143dcd58b6848a1890c3f2b9bf101d5 |
7| interface| public|
8| region| RegionOne|
9| region_id| RegionOne|
10| service_id| 46228b6dae2246008990040bbde371c3 |
11| service_name | keystone|
12| service_type | identity|
13| url| http://192.168.56.11:5000/v2.0|
14+--------------+----------------------------------+
15[root@linux-node1 httpd]# openstackendpoint create --region RegionOne identity internalhttp://192.168.56.11:5000/v2.0
16+--------------+----------------------------------+
17| Field| Value|
18+--------------+----------------------------------+
19| enabled| True|
20| id| 496f648007a04e5fbe99b62ed8a76acd |
21| interface| internal|
22| region| RegionOne|
23| region_id| RegionOne|
24| service_id| 46228b6dae2246008990040bbde371c3 |
25| service_name | keystone|
26| service_type | identity|
27| url| http://192.168.56.11:5000/v2.0|
28+--------------+----------------------------------+
29[root@linux-node1 httpd]# openstackendpoint create --region RegionOne identity adminhttp://192.168.56.11:35357/v2.0
30+--------------+----------------------------------+
31| Field| Value|
32+--------------+----------------------------------+
33| enabled| True|
34| id| 28283cbf90b5434ba7a8780fac9308df |
35| interface| admin|
36| region| RegionOne|
37| region_id| RegionOne|
38| service_id| 46228b6dae2246008990040bbde371c3 |
39| service_name | keystone|
40| service_type | identity|
41| url|http://192.168.56.11:35357/v2.0|
42+--------------+----------------------------------+
查看创建的endpoint
1[root@linux-node1 httpd]# openstackendpoint list
2+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
3| ID| Region| Service Name | Service Type | Enabled |Interface | URL|
4+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
5| 1143dcd58b6848a1890c3f2b9bf101d5 |RegionOne | keystone| identity| True| public| http://192.168.56.11:5000/v2.0|
6| 28283cbf90b5434ba7a8780fac9308df |RegionOne | keystone| identity| True| admin|http://192.168.56.11:35357/v2.0 |
7| 496f648007a04e5fbe99b62ed8a76acd |RegionOne | keystone| identity| True| internal| http://192.168.56.11:5000/v2.0|
8+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
链接到keystone,请求token,在这里由于已经添加了用户名和密码,就不在使用token,所有就一定要取消环境变量了
1[root@linux-node1 httpd]# unsetOS_TOKEN
2[root@linux-node1 httpd]# unset OS_URL
3[root@linux-node1 httpd]#openstack--os-auth-url http://192.168.56.11:35357/v3
4--os-project-domain-id default--os-user-domain-id default --os-project-name admin --os-username admin--os-auth-type password token issue
5Password:
6+------------+----------------------------------+
7| Field| Value|
8+------------+----------------------------------+
9| expires| 2015-12-16T17:45:52.926050Z|
10| id| ba1d3c403bf34759b239176594001f8b |
11| project_id |45ec9f72892c404897d0f7d6668d7a53 |
12| user_id| bb6d73c0b07246fb8f26025bb72c06a1 |
13+------------+----------------------------------+
配置admin和demo用户的环境变量,并添加执行权限,以后执行命令,直接source一下就行了
1[root@linux-node1 ~]# catadmin-openrc.sh
2export OS_PROJECT_DOMAIN_ID=default
3export OS_USER_DOMAIN_ID=default
4export OS_PROJECT_NAME=admin
5export OS_TENANT_NAME=admin
6export OS_USERNAME=admin
7export OS_PASSWORD=admin
8exportOS_AUTH_URL=http://192.168.56.11:35357/v3
9export OS_IDENTITY_API_VERSION=3
10[root@linux-node1 ~]# catdemo-openrc.sh
11export OS_PROJECT_DOMAIN_ID=default
12export OS_USER_DOMAIN_ID=default
13export OS_PROJECT_NAME=demo
14export OS_TENANT_NAME=demo
15export OS_USERNAME=demo
16export OS_PASSWORD=demo
17exportOS_AUTH_URL=http://192.168.56.11:5000/v3
18export OS_IDENTITY_API_VERSION=3
19[root@linux-node1 ~]# chmod +xdemo-openrc.sh
20[root@linux-node1 ~]# chmod +xadmin-openrc.sh
21[root@linux-node1 ~]# sourceadmin-openrc.sh
22[root@linux-node1 ~]# openstack tokenissue
23+------------+----------------------------------+
24| Field| Value|
25+------------+----------------------------------+
26| expires| 2015-12-16T17:54:06.632906Z|
27| id| ade4b0c451b94255af1e96736555db75 |
28| project_id |45ec9f72892c404897d0f7d6668d7a53 |
29| user_id| bb6d73c0b07246fb8f26025bb72c06a1 |
30+------------+----------------------------------+