Controller节点的安装及配置

官方安装文档:https://docs.openstack.org/install-guide/

密码汇总表

密码名称 描述 密码
Database password (no variable used) Root password for the database pike
ADMIN_PASS Password of user admin pike
CINDER_DBPASS Database password for the Block Storage service pike
CINDER_PASS Password of Block Storage service user cinder pike
DASH_DBPASS Database password for the Dashboard pike
DEMO_PASS Password of user demo pike
GLANCE_DBPASS Database password for Image service pike
GLANCE_PASS Password of Image service user glance pike
KEYSTONE_DBPASS Database password of Identity service pike
METADATA_SECRET Secret for the metadata proxy pike
NEUTRON_DBPASS Database password for the Networking service pike
NEUTRON_PASS Password of Networking service user neutron pike
NOVA_DBPASS Database password for Compute service pike
NOVA_PASS Password of Compute service user nova pike
PLACEMENT_PASS Password of the Placement service user placement pike
RABBIT_PASS Password of RabbitMQ user openstack pike

一、前期准备

1. 安装并配置NTP服务器

  • 安装chrony软件包
    ~]# yum install chrony -y
  • 编辑chrony配置文件
~]# vim /etc/chrony.conf 
allow 10.6.10.0/24
  • 启动chronyd服务,并配置开机自动启动
    ~]# systemctl enable chronyd.service
    ~]# systemctl start chronyd.service
  • 验证操作
~]# chronyc sources   
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^? ntp5.flashdance.cx            2   7    20    54    +44ms[+130.8s] +/-  186ms
^? 85.199.214.100                1   7    20    54   +575us[+130.8s] +/-  135ms
^- ntp1.ams1.nl.leaseweb.net     2   6    70    51    +15ms[  +15ms] +/-  245ms
^* time5.aliyun.com              2   6    17    51    -12us[ +107us] +/- 2086us

要确保*标出现,才代表与时间服务器同步完成。

2. 软件包准备

  • 安装OpenStack Pike Repository
    ~]# yum install centos-release-openstack-pike -y
  • 升级软件包
    ~]# yum upgrade
  • 安装openstack客户端软件包
    ~]# yum install python-openstackclient -y
  • 安装openstack-selinux软件包
    ~]# yum install openstack-selinux -y

3. 数据库准备

  • 安装软件包
    ~]# yum -y install mariadb mariadb-server python2-PyMySQL
  • 编辑配置文件
~]# vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 10.6.10.1    # Controller节点的管理IP

default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
  • 启动mariadb服务,并配置成开机自动启动
    ~]# systemctl enable mariadb.service
    ~]# systemctl start mariadb.service
  • 为mariadb执行安全脚本,并设定数据库root用户密码为pike
~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

4. RabbitMQ准备

  • 安装软件包
    ~]# yum -y install rabbitmq-server
  • 启动服务,并配置成开机自动启动
    ~]# systemctl enable rabbitmq-server.service
    ~]# systemctl start rabbitmq-server.service
  • 为RabbitMQ创建openstack用户,并设置密码为pike
    ~]# rabbitmqctl add_user openstack pike
    Creating user "openstack" ...
  • 配置openstack用户权限
    ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
    Setting permissions for user "openstack" in vhost "/" ...

5. Memcached准备

  • 安装软件包
    ~]# yum install memcached python-memcached -y
  • 编辑配置文件
~]# vim /etc/sysconfig/memcached
将OPTIONS="-l 127.0.0.1,::1"替换为
OPTIONS="-l 127.0.0.1,::1,controller"
  • 启动memcached服务,并配置成开机自动启动
    ~]# systemctl enable memcached.service
    ~]# systemctl start memcached.service

6. Etcd准备

  • 安装软件包
    ~]# yum install etcd -y
  • 编辑配置文件
~]# vim /etc/etcd/etcd.conf
#[Member]
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://10.6.10.1:2380"
ETCD_LISTEN_CLIENT_URLS="http://10.6.10.1:2379"
ETCD_NAME="controller"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.6.10.1:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://10.6.10.1:2379"
ETCD_INITIAL_CLUSTER="controller=http://10.6.10.1:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01"
ETCD_INITIAL_CLUSTER_STATE="new"
  • 开启etcd服务,并配置成开机自动启动
    ~]# systemctl enable etcd
    ~# systemctl start etcd

二、 Keystone的安装及配置

1. 前期准备

(1) 使用root用户登录mysql数据库
~]# mysql -u root -p
(2) 创建keystone数据库
MariaDB [(none)]> CREATE DATABASE keystone;
(3) 为keystone数据库创建账号并授权相关权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'pike';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'pike';

2. 安装和配置组件

(1) 安装软件包
~]# yum -y install openstack-keystone httpd mod_wsgi
(2) 编辑配置文件
~]# cp /etc/keystone/keystone.conf{,.bak}
~]# vim /etc/keystone/keystone.conf
[database]
...
connection = mysql+pymysql://keystone:pike@controller/keystone
[token]
...
provider = fernet
(3) 迁移数据库,使用keystone用户登录/bin/sh,并执行迁移数据库命令
~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
此时,MySQL数据库中,可以查到keystone数据库已经有很多表了。
(4) 验证数据库操作是否完成
~]# mysql -u root -p
MariaDB [(none)]> USE keystone;
MariaDB [keystone]> SHOW TABLES;
如果能够看到已经存在很多表,说明数据库操作成功执行了。
(5) 初始化Fernet Key Repository
~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
(6) Bootstrap the Identity Service
~]# keystone-manage bootstrap --bootstrap-password pike \ --bootstrap-admin-url http://controller:35357/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne

3. 配置Apache HTTP Server

(1) 编辑配置文件
~]# cp /etc/httpd/conf/httpd.conf{,.bak}
~]# vim /etc/httpd/conf/httpd.conf
ServerName controller
(2) 为/usr/share/keystone/wsgi-keystone.conf配置文件创建一个软链接
~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

4. 完成安装

(1) 启动httpd服务,并配置其开机自动启动
~]# systemctl enable httpd.service
~]# systemctl start httpd.service
(2) 配置管理账号
$ export OS_USERNAME=admin
$ export OS_PASSWORD=pike
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3

5. 创建域、项目、用户和角色

(1) 创建service项目

~]# openstack project create --domain default \
  --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 04a94172e964433b82be58b94dcc4ad0 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
+-------------+----------------------------------+

(2) 创建demo项目和demo用户

  • 创建demo项目
~]# openstack project create --domain default \
  --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | da335b54c90a41c69c95883a8c265c32 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+
  • 创建demo用户,并设置密码为pike
~]# openstack user create --domain default \
  --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 987e3ca1748d473d8d658f5f34d1ad39 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 创建user角色
~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 411fe95df52f4b47bba91a9b37413cb7 |
| name      | user                             |
+-----------+----------------------------------+
  • 将user角色添加到demo项目和demo用户上
    ~]# openstack role add --project demo --user demo user

注意:
创建用户的操作可以重复进行,但是如果想在一个项目中创建多个用户,之前创建项目的操作不要按照手册重复进行。

6. 验证操作

(1) 出于安全考虑,禁用临时认证token
~]# cp /etc/keystone/keystone-paste.ini{,.bak}
~]# vim /etc/keystone/keystone-paste.ini
在[pipeline:public_api]、[pipeline:admin_api]、[pipeline:api_v3]三个部分删除其中admin_token_auth字段
(2) 取消设置的环境变量OS_AUTH_URL和OS_PASSWORD
~]# unset OS_AUTH_URL OS_PASSWORD
(3) 为admin用户申请一个认证token

~]# openstack --os-auth-url http://controller:35357/v3 \
>   --os-project-domain-name Default --os-user-domain-name Default \
>   --os-project-name admin --os-username admin token issue
Password: 
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-02-07T07:01:17+0000                                                                                                                                                                |
| id         | gAAAAABaepYtjCauMvNZX0SskSdnwouz4aRe88abVyv9a5pYp9Rzl4jWq7voMCrLVyoFlSHtB6TD4K9I6y6kve4Rqrl80SZPTIiEk5E6jvOWTnnNAsJzuOuZzOS7lm0cVpGC00jUKAl-UA6qTFZ4QQbB_GUD0Kv_tMWzulQxIeQsheQ0pt1Zx5o |
| project_id | 63a7987395d54774b6045e2648d88a58                                                                                                                                                        |
| user_id    | 17b3d5190c444945a70ed31009f4fe24                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(4) 为demo用户申请一个认证token

~]# openstack --os-auth-url http://controller:5000/v3 \
>   --os-project-domain-name Default --os-user-domain-name Default \
>   --os-project-name demo --os-username demo token issue
Password: 
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-02-07T07:02:17+0000                                                                                                                                                                |
| id         | gAAAAABaepZp3bKasEy6cIvZoYY9IrtQ4rO7y07Rk8sKqC_txxpTak-Cwek7VVZa_XChTmJtnCqRknKkah8SUS6WZL0U2mKj5vD9N0bhC2oQMuWKqef7VDXDx-huiAQCfDqt4ceiilZXvZoLqVLHl3vzK-x9uetbW8SK-0et43tQoL7TsOTtVdY |
| project_id | da335b54c90a41c69c95883a8c265c32                                                                                                                                                        |
| user_id    | 987e3ca1748d473d8d658f5f34d1ad39                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

7. 创建OpenStack客户端环境变量脚本

有时在客户端执行openstack的命令,会需要切换项目及用户(admin、demo),为了执行效率考虑,将各自用户需要的环境变量信息编辑成单独的文件,当需要使用某个用户的凭证进行后续操作时,直接读取该用户自己的环境变量脚本文件,省去了逐行设定环境变量的工作。
(1) 创建admin用户的环境变量脚本文件admin-openrc
~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=pike
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

(2) 创建demo用户的环境变量脚本文件demo-openrc
~]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=pike
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

8. 使用环境变量脚本文件

(1) 使用admin-openrc文件来加载调用admin项目和用户
~]# . admin-openrc
(2) 请求凭证token

~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-02-07T08:03:40+0000                                                                                                                                                                |
| id         | gAAAAABaeqTMLZZpqm1TE7LZ3-8YTerMSssI_wv7EJTZI9WtxRI7ARwjhDgDGBNx7vwGEkcI4BTWsg1SDFPlen5R5cvLdGLp3syODkoUfJT_lAvRnuOpjp6ZkAeojp_Vf3z3f4bJvd4Clg7tV1OCIFiabIRFjYzXLOiZ69VOS_-xiGW7B67t5xw |
| project_id | 63a7987395d54774b6045e2648d88a58                                                                                                                                                        |
| user_id    | 17b3d5190c444945a70ed31009f4fe24                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

至此,Keystone安装和配置完成。

三、Glance的安装和配置

1. 前期准备

(1) 数据库相关准备

  • 以root用户登录Mariadb数据库
    ~]# mysql -u root -p
  • 创建glance数据库
    MariaDB [(none)]> CREATE DATABASE glance;
  • 创建glance用户并授权相关权限
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'pike';
    (2) 读取admin-openrc环境变量配置文件
    ~]# . admin-openrc
    (3) 创建服务凭证
  • 创建glance用户
~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | ba9d929e90e643b2a2923b839e2670be |
| name                | glance                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 将admin角色添加至glance用户和service项目中
    ~]# openstack role add --project service --user glance admin
  • 创建glance服务实体
~]# openstack service create --name glance \
>   --description "OpenStack Image" image
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Image                  |
| enabled     | True                             |
| id          | d904ee2bb6ce40688fedf85081f6cd1e |
| name        | glance                           |
| type        | image                            |
+-------------+----------------------------------+

(4) 创建Image Service API访问入口

~]# openstack endpoint create --region RegionOne \
>   image public http://controller:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | a91444d587e3488690c376c34b108a60 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | d904ee2bb6ce40688fedf85081f6cd1e |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne \
>   image internal http://controller:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 088ecf1291144e54ad708c587469d470 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | d904ee2bb6ce40688fedf85081f6cd1e |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne \
>   image admin http://controller:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | a73e204ccec748dfb8a4de9d46841277 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | d904ee2bb6ce40688fedf85081f6cd1e |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+

2. 安装和配置组件

(1) 安装软件包
~]# yum -y install openstack-glance
(2) 编辑配置文件/etc/glance/glance-api.conf
~]# cp /etc/glance/glance-api.conf{,.bak}
~]# vim /etc/glance/glance-api.conf

[database]
# ...
connection = mysql+pymysql://glance:pike@controller/glance

[keystone_authtoken]
# ...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = pike

[paste_deploy]
# ...
flavor = keystone

[glance_store]
# ...
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/

(3) 编辑配置文件/etc/glance/glance-registry.conf
~]# cp /etc/glance/glance-registry.conf{,.bak}
~]# vim /etc/glance/glance-registry.conf

[database]
# ...
connection = mysql+pymysql://glance:pike@controller/glance

[keystone_authtoken]
# ...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = pike

[paste_deploy]
# ...
flavor = keystone

(4) 以glance用户的身份,在/bin/sh shell中执行数据库迁移命令
~]# su -s /bin/sh -c "glance-manage db_sync" glance
(5) 验证数据库迁移执行结果

~]# ~]# mysql -u root -p
MariaDB [(none)]> USE glance;
MariaDB [glance]> SHOW TABLES;
+----------------------------------+
| Tables_in_glance                 |
+----------------------------------+
| alembic_version                  |
| image_locations                  |
| image_members                    |
| image_properties                 |
| image_tags                       |
| images                           |
| metadef_namespace_resource_types |
| metadef_namespaces               |
| metadef_objects                  |
| metadef_properties               |
| metadef_resource_types           |
| metadef_tags                     |
| migrate_version                  |
| task_info                        |
| tasks                            |
+----------------------------------+
15 rows in set (0.00 sec)

3. 完成安装

启动openstack-glance-api.service、openstack-glance-registry.servic服务,并配置其开机自动启动
~]# systemctl enable openstack-glance-api.service openstack-glance-registry.service
~]# systemctl start openstack-glance-api.service openstack-glance-registry.service

4. 验证操作

(1) 读取admin-openrc环境变量脚本文件
~]# . admin-openrc
(2) 下载cirros镜像文件
~]# yum -y install wget
~]# wget http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-disk.img
(3) 将下载的cirros镜像文件导入glance

~]# openstack image create "cirros" \
  --file cirros-0.3.5-x86_64-disk.img \
  --disk-format qcow2 --container-format bare \
  --public
+------------------+------------------------------------------------------+
| Field            | Value                                                |
+------------------+------------------------------------------------------+
| checksum         | f8ab98ff5e73ebab884d80c9dc9c7290                     |
| container_format | bare                                                 |
| created_at       | 2018-02-07T08:46:32Z                                 |
| disk_format      | qcow2                                                |
| file             | /v2/images/536da1ed-6f9e-4273-abb2-529e4c212c98/file |
| id               | 536da1ed-6f9e-4273-abb2-529e4c212c98                 |
| min_disk         | 0                                                    |
| min_ram          | 0                                                    |
| name             | cirros                                               |
| owner            | 63a7987395d54774b6045e2648d88a58                     |
| protected        | False                                                |
| schema           | /v2/schemas/image                                    |
| size             | 13267968                                             |
| status           | active                                               |
| tags             |                                                      |
| updated_at       | 2018-02-07T08:46:33Z                                 |
| virtual_size     | None                                                 |
| visibility       | public                                               |
+------------------+------------------------------------------------------+

(4) 确认上载的镜像文件并验证其有效性

~]# openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| 536da1ed-6f9e-4273-abb2-529e4c212c98 | cirros | active |
+--------------------------------------+--------+--------+

四、Nova的安装和配置

1. 前期准备

(1) 数据库准备

  • 以root用户登录MariaDB数据库
    ~]# mysql -u root -p
  • 创建数据库
    MariaDB [(none)]> CREATE DATABASE nova_api;
    MariaDB [(none)]> CREATE DATABASE nova;
    MariaDB [(none)]> CREATE DATABASE nova_cell0;
  • 创建用户并进行授权
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY 'pike';

(2) 读取admin-openrc环境变量配置文件
~]# . admin-openrc
(3) 创建Compute服务凭证

  • 创建nova用户,并设置密码为pike
~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | bfe41444cdf940cc93ddae269634c812 |
| name                | nova                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 将admin角色添加至service项目和nova用户
    ~]# openstack role add --project service --user nova admin
  • 创建nova服务实体
~]# openstack service create --name nova \
>   --description "OpenStack Compute" compute
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Compute                |
| enabled     | True                             |
| id          | 5670c0380a6041c3a40f9f2bb2caf4f2 |
| name        | nova                             |
| type        | compute                          |
+-------------+----------------------------------+

(4) 创建compute API访问入口

~]# openstack endpoint create --region RegionOne \
>   compute public http://controller:8774/v2.1
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 6a287e44441d467e8eb048361f13b92a |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 5670c0380a6041c3a40f9f2bb2caf4f2 |
| service_name | nova                             |
| service_type | compute                          |
| url          | http://controller:8774/v2.1      |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne \
>   compute internal http://controller:8774/v2.1
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | f7f8752044c6439c8231dedc7e62b00e |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 5670c0380a6041c3a40f9f2bb2caf4f2 |
| service_name | nova                             |
| service_type | compute                          |
| url          | http://controller:8774/v2.1      |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne \
>   compute admin http://controller:8774/v2.1
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 5496bf7192d8409282932070fd25931f |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 5670c0380a6041c3a40f9f2bb2caf4f2 |
| service_name | nova                             |
| service_type | compute                          |
| url          | http://controller:8774/v2.1      |
+--------------+----------------------------------+

(5) 创建一个placement 服务用户,并设置密码为pike

~]# openstack user create --domain default --password-prompt placement
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 04ae4b011e324f779580724b53c8444b |
| name                | placement                        |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

(6) 将placement用户以admin角色添加到service项目中
~]# openstack role add --project service --user placement admin
(7) 在服务目录中创建placement API条目

~]# openstack service create --name placement --description "Placement API" placement
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Placement API                    |
| enabled     | True                             |
| id          | 7cf728f3318040d9b0a8cefb8b651d03 |
| name        | placement                        |
| type        | placement                        |
+-------------+----------------------------------+

(8) 创建placement API服务访问入口

~]# openstack endpoint create --region RegionOne placement public http://controller:8778
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 5076da7f51074d1481f3ab84d3c9a785 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 7cf728f3318040d9b0a8cefb8b651d03 |
| service_name | placement                        |
| service_type | placement                        |
| url          | http://controller:8778           |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne placement internal http://controller:8778
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 3c4d05b6f2d542339567aa1217a65ec6 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 7cf728f3318040d9b0a8cefb8b651d03 |
| service_name | placement                        |
| service_type | placement                        |
| url          | http://controller:8778           |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne placement admin http://controller:8778
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | f9beb6af8f4a4b88a64fabfda44f5d9d |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 7cf728f3318040d9b0a8cefb8b651d03 |
| service_name | placement                        |
| service_type | placement                        |
| url          | http://controller:8778           |
+--------------+----------------------------------+

2. 安装和配置组件

(1) 软件安装
~]# yum -y install openstack-nova-api openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler openstack-nova-placement-api
(2) 编辑配置文件/etc/nova/nova.conf
~]# cp /etc/nova/nova.conf{,.bak}
~]# vim /etc/nova/nova.conf

[DEFAULT]
# ...
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:pike@controller
my_ip = 10.6.10.1
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver

[api_database]
# ...
connection = mysql+pymysql://nova:pike@controller/nova_api

[database]
# ...
connection = mysql+pymysql://nova:pike@controller/nova

[api]
# ...
auth_strategy = keystone

[keystone_authtoken]
# ...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = pike

[vnc]
enabled = true
# ...
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip

[glance]
# ...
api_servers = http://controller:9292

[oslo_concurrency]
# ...
lock_path = /var/lib/nova/tmp

[placement]
# ...
os_region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:35357/v3
username = placement
password = pike

由于软件包bug,还需为Placement API添加一个额外的配置文件

~]# vim /etc/httpd/conf.d/00-nova-placement-api.conf
在配置文件末尾添加如下几行:

   = 2.4>
      Require all granted
   
   
      Order allow,deny
      Allow from all
   

重新启动httpd服务
~]# systemctl restart httpd
(3) 迁移nova-api数据库
~]# su -s /bin/sh -c "nova-manage api_db sync" nova
(4) 注册cell0数据库
~]# su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
(5) 创建cell1 cell
~]# su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova
(6) 迁移nova数据库
~]# su -s /bin/sh -c "nova-manage db sync" nova
有警告信息如下:

/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `block_device_mapping_instance_uuid_virtual_name_device_name_idx`. This is deprecated and will be disallowed in a future release.')
  result = self._query(query)
/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `uniq_instances0uuid`. This is deprecated and will be disallowed in a future release.')
  result = self._query(query)

(7) 验证nova、cell0、cell1已经正确的注册

~]# nova-manage cell_v2 list_cells
+-------+--------------------------------------+------------------------------------+-------------------------------------------------+
|  Name |                 UUID                 |           Transport URL            |               Database Connection               |
+-------+--------------------------------------+------------------------------------+-------------------------------------------------+
| cell0 | 00000000-0000-0000-0000-000000000000 |               none:/               | mysql+pymysql://nova:****@controller/nova_cell0 |
| cell1 | c645de34-d50f-4134-b50d-15855cd0e105 | rabbit://openstack:****@controller |    mysql+pymysql://nova:****@controller/nova    |
+-------+--------------------------------------+------------------------------------+-------------------------------------------------+

3. 结束安装

~]# systemctl enable openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service
~]# systemctl start openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service

4. 验证操作

警告:该操作要等待compute节点上的nova安装配置完成后方可进行!

(1) 读取admin-openrc环境变量配置文件
~]# ~]# . admin-openrc
(2) 列出服务组件,以便验证成功加载和注册了每个进程

~]# openstack compute service list
+----+------------------+------------+----------+---------+-------+----------------------------+
| ID | Binary           | Host       | Zone     | Status  | State | Updated At                 |
+----+------------------+------------+----------+---------+-------+----------------------------+
|  1 | nova-consoleauth | controller | internal | enabled | up    | 2018-02-08T06:25:43.000000 |
|  2 | nova-scheduler   | controller | internal | enabled | up    | 2018-02-08T06:25:41.000000 |
|  3 | nova-conductor   | controller | internal | enabled | up    | 2018-02-08T06:25:50.000000 |
|  6 | nova-compute     | compute1   | nova     | enabled | up    | 2018-02-08T06:25:49.000000 |
+----+------------------+------------+----------+---------+-------+----------------------------+

(3) 在Identity Service中列出API endpoints,以便验证与Identity Service的连接情况

~]# openstack catalog list
+-----------+-----------+-----------------------------------------+
| Name      | Type      | Endpoints                               |
+-----------+-----------+-----------------------------------------+
| nova      | compute   | RegionOne                               |
|           |           |   admin: http://controller:8774/v2.1    |
|           |           | RegionOne                               |
|           |           |   public: http://controller:8774/v2.1   |
|           |           | RegionOne                               |
|           |           |   internal: http://controller:8774/v2.1 |
|           |           |                                         |
| keystone  | identity  | RegionOne                               |
|           |           |   internal: http://controller:5000/v3/  |
|           |           | RegionOne                               |
|           |           |   admin: http://controller:35357/v3/    |
|           |           | RegionOne                               |
|           |           |   public: http://controller:5000/v3/    |
|           |           |                                         |
| placement | placement | RegionOne                               |
|           |           |   internal: http://controller:8778      |
|           |           | RegionOne                               |
|           |           |   public: http://controller:8778        |
|           |           | RegionOne                               |
|           |           |   admin: http://controller:8778         |
|           |           |                                         |
| glance    | image     | RegionOne                               |
|           |           |   internal: http://controller:9292      |
|           |           | RegionOne                               |
|           |           |   admin: http://controller:9292         |
|           |           | RegionOne                               |
|           |           |   public: http://controller:9292        |
|           |           |                                         |
+-----------+-----------+-----------------------------------------+

(4) 在Image Service中列出镜像文件,以便验证与Image Service的连接情况

~]# openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| 536da1ed-6f9e-4273-abb2-529e4c212c98 | cirros | active |
+--------------------------------------+--------+--------+

(5) 检查cells和placement API运行正常

~]# nova-status upgrade check
+---------------------------+
| Upgrade Check Results     |
+---------------------------+
| Check: Cells v2           |
| Result: Success           |
| Details: None             |
+---------------------------+
| Check: Placement API      |
| Result: Success           |
| Details: None             |
+---------------------------+
| Check: Resource Providers |
| Result: Success           |
| Details: None             |
+---------------------------+

五、Neutron的安装和配置

1. 前期准备

(1) 数据库准备

  • 以root用户登录MariaDB
    ~]# mysql -u root -p
  • 创建neutron数据库
    MariaDB [(none)] CREATE DATABASE neutron;
  • 创建用户并配置访问权限
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'pike';

(2) 读取admin-openrc环境变量脚本文件
~]# . admin-openrc
(3) 创建服务凭证

  • 创建neutron用户,并设置密码为pike
~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | d2336870c46e4e64a6814bf0882cf55e |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 将admin角色添加到service项目和neutron用户
    ~]# openstack role add --project service --user neutron admin
  • 创建neutron服务实体
~]# openstack service create --name neutron \
>   --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | 0c3ce11f02344e9fa2ce5fd466e37b9e |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+

(4) 创建Networking Service API Endpoints

~]# openstack endpoint create --region RegionOne \
>   network public http://controller:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | d1a29b22e7224c47b27b4013280350e4 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 0c3ce11f02344e9fa2ce5fd466e37b9e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne \
>   network internal http://controller:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 405debe4498245bd9891d89a9f636f5c |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 0c3ce11f02344e9fa2ce5fd466e37b9e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

~]# openstack endpoint create --region RegionOne \
>   network admin http://controller:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c4446b135e8145e490d4d017ab27f089 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 0c3ce11f02344e9fa2ce5fd466e37b9e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

2. 配置网络选项

本次实验选择使用self-service网络
(1) 安装软件包
~]# yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
(2) 编辑配置文件/etc/neutron/neutron.conf
~]# cp /etc/neutron/neutron.conf{,.bak}
~]# vim /etc/neutron/neutron.conf

[database]
# ...
connection = mysql+pymysql://neutron:pike@controller/neutron

[DEFAULT]
# ...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = true
transport_url = rabbit://openstack:pike@controller
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true

[keystone_authtoken]
# ...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = pike

[nova]
# ...
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = pike

[oslo_concurrency]
# ...
lock_path = /var/lib/neutron/tmp

(3) 配置Modular Layer 2 (ML2) plug-in
~]# cp /etc/neutron/plugins/ml2/ml2_conf.ini{,.bak}
~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini

[ml2]
# ...
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security

[ml2_type_flat]
# ...
flat_networks = provider

[ml2_type_vxlan]
# ...
vni_ranges = 1:1000

[securitygroup]
# ...
enable_ipset = true

警告:
当配置ML2 plug-in之后,如果在[ml2]中删除type_drivers的值,将会导致数据库不一致!

(4) 配置Linux网桥代理
~]# cp /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak}
~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

[linux_bridge]
physical_interface_mappings = provider:ens192
# physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME
# 其中,PROVIDER_INTERFACE_NAME替换成controller节点的外网网卡名称

[vxlan]
enable_vxlan = true
local_ip = 10.6.10.1
l2_population = true
# local_ip = OVERLAY_INTERFACE_IP_ADDRESS
# 其中,OVERLAY_INTERFACE_IP_ADDRESS替换成controller节点的管理网卡IP地址

[securitygroup]
# ...
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

(5) 配置三层代理
~]# cp /etc/neutron/l3_agent.ini{,.bak}
~]# vim /etc/neutron/l3_agent.ini

[DEFAULT]
# ...
interface_driver = linuxbridge

(6) 配置DHCP代理
~]# cp /etc/neutron/dhcp_agent.ini{,.bak}
~]# vim /etc/neutron/dhcp_agent.ini

[DEFAULT]
# ...
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true

(7) 配置元数据代理
~]# cp /etc/neutron/metadata_agent.ini{,.bak}
~]# vim /etc/neutron/metadata_agent.ini

[DEFAULT]
# ...
nova_metadata_host = controller
metadata_proxy_shared_secret = pike
# metadata_proxy_shared_secret = METADATA_SECRET
# 其中,METADATA_SECRET是为metadata proxy设置的密码

(8) 配置compute service去使用networking service
~]# cp /etc/nova/nova.conf{,.neutron.bak}
~]# vim /etc/nova/nova.conf

[neutron]
# ...
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = pike
service_metadata_proxy = true
metadata_proxy_shared_secret = pike

3. 结束安装

(1) Networking Service的初始化脚本需要一个软链接文件/etc/neutron/plugin.ini指向ML2 plug-in配置文件/etc/neutron/plugins/ml2/ml2_conf.ini。
~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
(2) 迁移数据库
~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
(3) 重新启动compute service
~]# systemctl restart openstack-nova-api.service
(4) 启动服务,并配置其开机自动启动
~]# systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service
~]# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service

4. 验证操作

警告:此步骤要等待compute节点的Neutron安装配置完成后方可进行!

(1) 读取admin-openrc环境变量脚本文件
~]# . admin-openrc
(2) 列出加载的extension来验证neutron-server进程已经成功的启动

~]# openstack extension list --network
+----------------------------------------------------------------------------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Name                                                                                         | Alias                     | Description                                                                                                                                              |
+----------------------------------------------------------------------------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Default Subnetpools                                                                          | default-subnetpools       | Provides ability to mark and use a subnetpool as the default                                                                                             |
| Network IP Availability                                                                      | network-ip-availability   | Provides IP availability data for each network and subnet.                                                                                               |
| Network Availability Zone                                                                    | network_availability_zone | Availability zone support for network.                                                                                                                   |
| Auto Allocated Topology Services                                                             | auto-allocated-topology   | Auto Allocated Topology Services.                                                                                                                        |
| Neutron L3 Configurable external gateway mode                                                | ext-gw-mode               | Extension of the router abstraction for specifying whether SNAT should occur on the external gateway                                                     |
| Port Binding                                                                                 | binding                   | Expose port bindings of a virtual port to external application                                                                                           |
| agent                                                                                        | agent                     | The agent management extension.                                                                                                                          |
| Subnet Allocation                                                                            | subnet_allocation         | Enables allocation of subnets from a subnet pool                                                                                                         |
| L3 Agent Scheduler                                                                           | l3_agent_scheduler        | Schedule routers among l3 agents                                                                                                                         |
| Tag support                                                                                  | tag                       | Enables to set tag on resources.                                                                                                                         |
| Neutron external network                                                                     | external-net              | Adds external network attribute to network resource.                                                                                                     |
| Tag support for resources with standard attribute: trunk, policy, security_group, floatingip | standard-attr-tag         | Enables to set tag on resources with standard attribute.                                                                                                 |
| Neutron Service Flavors                                                                      | flavors                   | Flavor specification for Neutron advanced services                                                                                                       |
| Network MTU                                                                                  | net-mtu                   | Provides MTU attribute for a network resource.                                                                                                           |
| Availability Zone                                                                            | availability_zone         | The availability zone extension.                                                                                                                         |
| Quota management support                                                                     | quotas                    | Expose functions for quotas management per tenant                                                                                                        |
| If-Match constraints based on revision_number                                                | revision-if-match         | Extension indicating that If-Match based on revision_number is supported.                                                                                |
| HA Router extension                                                                          | l3-ha                     | Add HA capability to routers.                                                                                                                            |
| Provider Network                                                                             | provider                  | Expose mapping of virtual networks to physical networks                                                                                                  |
| Multi Provider Network                                                                       | multi-provider            | Expose mapping of virtual networks to multiple physical networks                                                                                         |
| Quota details management support                                                             | quota_details             | Expose functions for quotas usage statistics per project                                                                                                 |
| Address scope                                                                                | address-scope             | Address scopes extension.                                                                                                                                |
| Neutron Extra Route                                                                          | extraroute                | Extra routes configuration for L3 router                                                                                                                 |
| Network MTU (writable)                                                                       | net-mtu-writable          | Provides a writable MTU attribute for a network resource.                                                                                                |
| Subnet service types                                                                         | subnet-service-types      | Provides ability to set the subnet service_types field                                                                                                   |
| Resource timestamps                                                                          | standard-attr-timestamp   | Adds created_at and updated_at fields to all Neutron resources that have Neutron standard attributes.                                                    |
| Neutron Service Type Management                                                              | service-type              | API for retrieving service providers for Neutron advanced services                                                                                       |
| Router Flavor Extension                                                                      | l3-flavors                | Flavor support for routers.                                                                                                                              |
| Port Security                                                                                | port-security             | Provides port security                                                                                                                                   |
| Neutron Extra DHCP options                                                                   | extra_dhcp_opt            | Extra options configuration for DHCP. For example PXE boot options to DHCP clients can be specified (e.g. tftp-server, server-ip-address, bootfile-name) |
| Resource revision numbers                                                                    | standard-attr-revisions   | This extension will display the revision number of neutron resources.                                                                                    |
| Pagination support                                                                           | pagination                | Extension that indicates that pagination is enabled.                                                                                                     |
| Sorting support                                                                              | sorting                   | Extension that indicates that sorting is enabled.                                                                                                        |
| security-group                                                                               | security-group            | The security groups extension.                                                                                                                           |
| DHCP Agent Scheduler                                                                         | dhcp_agent_scheduler      | Schedule networks among dhcp agents                                                                                                                      |
| Router Availability Zone                                                                     | router_availability_zone  | Availability zone support for router.                                                                                                                    |
| RBAC Policies                                                                                | rbac-policies             | Allows creation and modification of policies that control tenant access to resources.                                                                    |
| Tag support for resources: subnet, subnetpool, port, router                                  | tag-ext                   | Extends tag support to more L2 and L3 resources.                                                                                                         |
| standard-attr-description                                                                    | standard-attr-description | Extension to add descriptions to standard attributes                                                                                                     |
| Neutron L3 Router                                                                            | router                    | Router abstraction for basic L3 forwarding between L2 Neutron networks and access to external networks via a NAT gateway.                                |
| Allowed Address Pairs                                                                        | allowed-address-pairs     | Provides allowed address pairs                                                                                                                           |
| project_id field enabled                                                                     | project-id                | Extension that indicates that project_id field is enabled.                                                                                               |
| Distributed Virtual Router                                                                   | dvr                       | Enables configuration of Distributed Virtual Routers.                                                                                                    |
+----------------------------------------------------------------------------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+

(3) 列出代理来验证neutron代理已经成功启动

~]# openstack network agent list
+--------------------------------------+--------------------+------------+-------------------+-------+-------+---------------------------+
| ID                                   | Agent Type         | Host       | Availability Zone | Alive | State | Binary                    |
+--------------------------------------+--------------------+------------+-------------------+-------+-------+---------------------------+
| 1c772006-151d-484c-8b62-aa0c95fbbe4c | DHCP agent         | controller | nova              | :-)   | UP    | neutron-dhcp-agent        |
| 1e71fc01-afba-4485-af41-bc6ee2a778ca | L3 agent           | controller | nova              | :-)   | UP    | neutron-l3-agent          |
| 35539e5d-a9b0-442a-a170-1e671b7f5eb9 | Linux bridge agent | compute1   | None              | :-)   | UP    | neutron-linuxbridge-agent |
| 9b93b66e-e86c-4e8d-aee3-e46223c38178 | Metadata agent     | controller | None              | :-)   | UP    | neutron-metadata-agent    |
| e3e81d7b-25d3-4907-bf43-099c3be03d92 | Linux bridge agent | controller | None              | :-)   | UP    | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+------------+-------------------+-------+-------+---------------------------+

如果选择的是self-service网络选项,应该显示在controller节点有4个agent,每个compute节点1个agent。

六、Horizon的安装和配置

1. 安装和配置组件

(1) 安装软件包
~]# yum -y install openstack-dashboard
(2) 编辑配置文件
~]# cp /etc/openstack-dashboard/local_settings{,.bak}
~]# vim /etc/openstack-dashboard/local_settings

  • 配置dashboard去使用controller节点上的openstack服务
    OPENSTACK_HOST = "controller"
  • 配置dashboard访问控制列表
    样例:ALLOWED_HOSTS = ['one.example.com', 'two.example.com'],['*']代表允许所有
    ALLOWED_HOSTS = ['*']
  • 配置memcached会话存储服务
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'

CACHES = {
    'default': {
         'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
         'LOCATION': 'controller:11211',
    }
}
  • 启用Identity API v3
    OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST

  • 启用针对域的支持
    OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

  • 配置API版本

OPENSTACK_API_VERSIONS = {
    "identity": 3,
    "image": 2,
    "volume": 2,
}
  • 配置通过dashboard创建的用户默认使用default域
    OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"

  • 配置通过dashboard创建的用户默认使用user角色
    OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"

2. 结束安装

~]# systemctl restart httpd.service memcached.service

3. 验证操作

使用浏览器访问:http://controller/dashboard
登陆认证信息可以使用admin或demo用户,default域

七、Cinder的安装及配置

1. 前期准备

(1) 数据库准备

  • 以root用户登录MariaDB数据库
    ~]# mysql -u root -p
  • 创建cinder数据库
    MariaDB [(none)]> CREATE DATABASE cinder;
  • 创建用户并配置权限
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'pike';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'pike';

(2) 读取admin-openrc环境变量脚本文件
~]# . admin-openrc
(3) 创建服务凭证

  • 创建cinder用户,并设置密码为pike
~]# openstack user create --domain default --password-prompt cinder
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 633f9f1c94174673bccaaaa6fc782374 |
| name                | cinder                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 将admin角色添加至service项目及cinder用户
    ~]# openstack role add --project service --user cinder admin
  • 创建cinderv2和cinderv3服务实体
~]# openstack service create --name cinderv2 \
>   --description "OpenStack Block Storage" volumev2
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Block Storage          |
| enabled     | True                             |
| id          | e2cfa3ce266a4dd2aed4e24163c5a799 |
| name        | cinderv2                         |
| type        | volumev2                         |
+-------------+----------------------------------+

~]# openstack service create --name cinderv3 \
>   --description "OpenStack Block Storage" volumev3
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Block Storage          |
| enabled     | True                             |
| id          | d007c892d7cc4fbeb2b26a51dc713512 |
| name        | cinderv3                         |
| type        | volumev3                         |
+-------------+----------------------------------+
  • 创建Block Storage服务API访问入口
~]# openstack endpoint create --region RegionOne \
>   volumev2 public http://controller:8776/v2/%\(project_id\)s
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| enabled      | True                                     |
| id           | 13bbcaf3e641489090358ebf4708ea1a         |
| interface    | public                                   |
| region       | RegionOne                                |
| region_id    | RegionOne                                |
| service_id   | e2cfa3ce266a4dd2aed4e24163c5a799         |
| service_name | cinderv2                                 |
| service_type | volumev2                                 |
| url          | http://controller:8776/v2/%(project_id)s |
+--------------+------------------------------------------+

~]# openstack endpoint create --region RegionOne \
>   volumev2 internal http://controller:8776/v2/%\(project_id\)s
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| enabled      | True                                     |
| id           | a371e714b3c04d4e8890d23de362d3c7         |
| interface    | internal                                 |
| region       | RegionOne                                |
| region_id    | RegionOne                                |
| service_id   | e2cfa3ce266a4dd2aed4e24163c5a799         |
| service_name | cinderv2                                 |
| service_type | volumev2                                 |
| url          | http://controller:8776/v2/%(project_id)s |
+--------------+------------------------------------------+

~]# openstack endpoint create --region RegionOne \
>   volumev2 admin http://controller:8776/v2/%\(project_id\)s
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| enabled      | True                                     |
| id           | 485f0cbd6b164d8c820e75bb3bea0fd4         |
| interface    | admin                                    |
| region       | RegionOne                                |
| region_id    | RegionOne                                |
| service_id   | e2cfa3ce266a4dd2aed4e24163c5a799         |
| service_name | cinderv2                                 |
| service_type | volumev2                                 |
| url          | http://controller:8776/v2/%(project_id)s |
+--------------+------------------------------------------+

~]# openstack endpoint create --region RegionOne \
>   volumev3 public http://controller:8776/v3/%\(project_id\)s
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| enabled      | True                                     |
| id           | 4fbce878cd5442cfa5faac3c0cb8d539         |
| interface    | public                                   |
| region       | RegionOne                                |
| region_id    | RegionOne                                |
| service_id   | d007c892d7cc4fbeb2b26a51dc713512         |
| service_name | cinderv3                                 |
| service_type | volumev3                                 |
| url          | http://controller:8776/v3/%(project_id)s |
+--------------+------------------------------------------+

~]# openstack endpoint create --region RegionOne \
>   volumev3 internal http://controller:8776/v3/%\(project_id\)s
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| enabled      | True                                     |
| id           | 80d0f8a6a0484d689b2e393828dc8c43         |
| interface    | internal                                 |
| region       | RegionOne                                |
| region_id    | RegionOne                                |
| service_id   | d007c892d7cc4fbeb2b26a51dc713512         |
| service_name | cinderv3                                 |
| service_type | volumev3                                 |
| url          | http://controller:8776/v3/%(project_id)s |
+--------------+------------------------------------------+

~]# openstack endpoint create --region RegionOne \
>   volumev3 admin http://controller:8776/v3/%\(project_id\)s
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| enabled      | True                                     |
| id           | 7d586326146b4e29ace066de6fd480b6         |
| interface    | admin                                    |
| region       | RegionOne                                |
| region_id    | RegionOne                                |
| service_id   | d007c892d7cc4fbeb2b26a51dc713512         |
| service_name | cinderv3                                 |
| service_type | volumev3                                 |
| url          | http://controller:8776/v3/%(project_id)s |
+--------------+------------------------------------------+

2. 安装和配置组件

  • 安装软件包
    ~]# yum install openstack-cinder -y
  • 编辑配置文件
    ~]# cp /etc/cinder/cinder.conf{,.bak}
    ~]# vim /etc/cinder/cinder.conf
[database]
# ...
connection = mysql+pymysql://cinder:pike@controller/cinder

[DEFAULT]
# ...
transport_url = rabbit://openstack:pike@controller
auth_strategy = keystone
my_ip = 10.6.10.1

[keystone_authtoken]
# ...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = cinder
password = pike

[oslo_concurrency]
# ...
lock_path = /var/lib/cinder/tmp

3. 配置compute节点使用BlockStorage

~]# cp /etc/nova/nova.conf{,horizon.bak}
~]# vim /etc/nova/nova.conf

[cinder]
os_region_name = RegionOne

4. 结束安装

(1) 重启openstack-nova-api服务
~]# systemctl restart openstack-nova-api.service
(2) 启动openstack-cinder-api.service和openstack-cinder-scheduler.service服务,并配置其开机自动启动
~]# systemctl enable openstack-cinder-api.service openstack-cinder-scheduler.service
~]# systemctl start openstack-cinder-api.service openstack-cinder-scheduler.service

八、启动一个虚拟机

1. 创建虚拟网络

(1) 创建provider虚拟网络

  • 读取admin-openrc环境变量脚本文件
    ~]# . admin-openrc
  • 创建网络
~]# openstack network create  --share --external --provider-physical-network provider --provider-network-type flat provider
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2018-02-12T02:27:14Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | 8494999d-5736-4ca6-a9c1-1b10bf0e62f1 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | False                                |
| is_vlan_transparent       | None                                 |
| mtu                       | 1500                                 |
| name                      | provider                             |
| port_security_enabled     | True                                 |
| project_id                | 63a7987395d54774b6045e2648d88a58     |
| provider:network_type     | flat                                 |
| provider:physical_network | provider                             |
| provider:segmentation_id  | None                                 |
| qos_policy_id             | None                                 |
| revision_number           | 3                                    |
| router:external           | External                             |
| segments                  | None                                 |
| shared                    | True                                 |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| updated_at                | 2018-02-12T02:27:14Z                 |
+---------------------------+--------------------------------------+
  • 创建子网
~]# openstack subnet create --network provider --allocation-pool start=10.6.11.100,end=10.6.11.150 --dns-nameserver 114.114.114.114 --gateway 10.6.11.254 --subnet-range 10.6.11.0/24 provider
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| allocation_pools        | 10.6.11.100-10.6.11.150              |
| cidr                    | 10.6.11.0/24                         |
| created_at              | 2018-02-12T02:32:13Z                 |
| description             |                                      |
| dns_nameservers         | 114.114.114.114                      |
| enable_dhcp             | True                                 |
| gateway_ip              | 10.6.11.254                          |
| host_routes             |                                      |
| id                      | 51b142cf-4d4c-4069-b8b3-1800c2130902 |
| ip_version              | 4                                    |
| ipv6_address_mode       | None                                 |
| ipv6_ra_mode            | None                                 |
| name                    | provider                             |
| network_id              | 8494999d-5736-4ca6-a9c1-1b10bf0e62f1 |
| project_id              | 63a7987395d54774b6045e2648d88a58     |
| revision_number         | 0                                    |
| segment_id              | None                                 |
| service_types           |                                      |
| subnetpool_id           | None                                 |
| tags                    |                                      |
| updated_at              | 2018-02-12T02:32:13Z                 |
| use_default_subnet_pool | None                                 |
+-------------------------+--------------------------------------+
  • 查看网络设定情况
~]# openstack subnet list
+--------------------------------------+----------+--------------------------------------+--------------+
| ID                                   | Name     | Network                              | Subnet       |
+--------------------------------------+----------+--------------------------------------+--------------+
| 51b142cf-4d4c-4069-b8b3-1800c2130902 | provider | 8494999d-5736-4ca6-a9c1-1b10bf0e62f1 | 10.6.11.0/24 |
+--------------------------------------+----------+--------------------------------------+--------------+

(2) 创建Self-Service虚拟网络

  • 读取demo-openrc环境变量脚本文件
    ~]# . demo-openrc
  • 创建网络
~]# openstack network create selfservice
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2018-02-14T01:22:10Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | 732b888f-b4e9-4eae-ad82-c93b51a67080 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | False                                |
| is_vlan_transparent       | None                                 |
| mtu                       | 1450                                 |
| name                      | selfservice                          |
| port_security_enabled     | True                                 |
| project_id                | da335b54c90a41c69c95883a8c265c32     |
| provider:network_type     | None                                 |
| provider:physical_network | None                                 |
| provider:segmentation_id  | None                                 |
| qos_policy_id             | None                                 |
| revision_number           | 2                                    |
| router:external           | Internal                             |
| segments                  | None                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| updated_at                | 2018-02-14T01:22:10Z                 |
+---------------------------+--------------------------------------+
  • 编辑ml2_conf.ini配置文件
    ~]# cp /etc/neutron/plugins/ml2/ml2_conf.ini{,.provider.bak}
    ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
tenant_network_types = vxlan

[ml2_type_vxlan]
vni_ranges = 1:1000
  • 在selfservice网络中创建子网
~]# openstack subnet create --network selfservice --dns-nameserver 114.114.114.114 --gateway 172.20.0.1 --subnet-range 172.20.0.0/16 selfservice-172.20
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| allocation_pools        | 172.20.0.2-172.20.255.254            |
| cidr                    | 172.20.0.0/16                        |
| created_at              | 2018-02-14T01:47:23Z                 |
| description             |                                      |
| dns_nameservers         | 114.114.114.114                      |
| enable_dhcp             | True                                 |
| gateway_ip              | 172.20.0.1                           |
| host_routes             |                                      |
| id                      | bff97960-ede3-440a-85dc-3c1399289b76 |
| ip_version              | 4                                    |
| ipv6_address_mode       | None                                 |
| ipv6_ra_mode            | None                                 |
| name                    | selfservice-172.20                   |
| network_id              | 732b888f-b4e9-4eae-ad82-c93b51a67080 |
| project_id              | da335b54c90a41c69c95883a8c265c32     |
| revision_number         | 0                                    |
| segment_id              | None                                 |
| service_types           |                                      |
| subnetpool_id           | None                                 |
| tags                    |                                      |
| updated_at              | 2018-02-14T01:47:23Z                 |
| use_default_subnet_pool | None                                 |
+-------------------------+--------------------------------------+

(3) 创建路由器

  • 读取demo-openrc环境变量脚本文件
    ~]# . demo-openrc
  • 创建路由器
~]# openstack router create router
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| admin_state_up          | UP                                   |
| availability_zone_hints |                                      |
| availability_zones      |                                      |
| created_at              | 2018-02-14T01:49:31Z                 |
| description             |                                      |
| distributed             | False                                |
| external_gateway_info   | None                                 |
| flavor_id               | None                                 |
| ha                      | False                                |
| id                      | 6f7ba61a-31d5-4db9-b480-c81f6fdc1db8 |
| name                    | router                               |
| project_id              | da335b54c90a41c69c95883a8c265c32     |
| revision_number         | None                                 |
| routes                  |                                      |
| status                  | ACTIVE                               |
| tags                    |                                      |
| updated_at              | 2018-02-14T01:49:31Z                 |
+-------------------------+--------------------------------------+
  • 将self-service子网添加到路由器作为一个端口
~]# neutron router-interface-add router selfservice-172.20
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Added interface d778a840-eb14-4b05-bf93-7675426bbbfa to router router.
  • 在路由器上将provider网络的网关设定上
~]# neutron router-gateway-set router provider
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Set gateway for router router

(4) 验证操作

该步骤在controller节点上操作

  • 读取admin-openrc环境变量配置文件
    ~]# . admin-openrc
  • 列出网络名称空间,应该列出一个qrouter和两个qdhcp
~]# ip netns
qrouter-6f7ba61a-31d5-4db9-b480-c81f6fdc1db8 (id: 2)
qdhcp-732b888f-b4e9-4eae-ad82-c93b51a67080 (id: 1)
qdhcp-3c54c8fe-41b5-4691-aac4-ae6e2436cae2 (id: 0)
  • 在路由器上列出在Provider网络的网关IP地址
~]# neutron router-port-list router
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| id                                   | name | tenant_id                        | mac_address       | fixed_ips                                                                          |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
| 902e8e7d-e149-4b7e-a05a-ae27173fcaae |      |                                  | fa:16:3e:2e:40:7b | {"subnet_id": "67229772-925c-4471-a7a7-901580ace1ae", "ip_address": "10.6.11.111"} |
| d778a840-eb14-4b05-bf93-7675426bbbfa |      | da335b54c90a41c69c95883a8c265c32 | fa:16:3e:b3:28:7a | {"subnet_id": "bff97960-ede3-440a-85dc-3c1399289b76", "ip_address": "172.20.0.1"}  |
+--------------------------------------+------+----------------------------------+-------------------+------------------------------------------------------------------------------------+
  • 在controller节点ping provider网络内的主机IP地址
~]# ping -c 4 10.6.11.102
PING 10.6.11.102 (10.6.11.102) 56(84) bytes of data.
64 bytes from 10.6.11.102: icmp_seq=1 ttl=63 time=0.653 ms
64 bytes from 10.6.11.102: icmp_seq=2 ttl=63 time=0.729 ms
64 bytes from 10.6.11.102: icmp_seq=3 ttl=63 time=0.774 ms
64 bytes from 10.6.11.102: icmp_seq=4 ttl=63 time=0.720 ms

--- 10.6.11.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.653/0.719/0.774/0.043 ms

2. 设定flavor

flavor是一个虚拟机配置的集合体,其中会根据不同的虚拟机规模设定各个资源不同的配比,在创建虚拟机的时候直接调用flavor来设定各资源的使用情况。

(1) 在执行相关flavor的命令之前,要先读取admin-openrc的环境变量脚本文件。
~]# . admin-openrc
(2) 创建flavor

~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
+----------------------------+---------+
| Field                      | Value   |
+----------------------------+---------+
| OS-FLV-DISABLED:disabled   | False   |
| OS-FLV-EXT-DATA:ephemeral  | 0       |
| disk                       | 1       |
| id                         | 0       |
| name                       | m1.nano |
| os-flavor-access:is_public | True    |
| properties                 |         |
| ram                        | 64      |
| rxtx_factor                | 1.0     |
| swap                       |         |
| vcpus                      | 1       |
+----------------------------+---------+

(3) 列出已有的flavor

~]# openstack flavor list
+----+---------+-----+------+-----------+-------+-----------+
| ID | Name    | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+---------+-----+------+-----------+-------+-----------+
| 0  | m1.nano |  64 |    1 |         0 |     1 | True      |
+----+---------+-----+------+-----------+-------+-----------+

3. 创建密钥对

创建密钥对后,每启动一个虚拟机实例,都会在虚拟机的管理员目录下注入一个密钥对的公钥,这样使得controller节点联系任何虚拟机的时候,都不需要使用密码。

(1) 在执行相关flavor的命令之前,要先读取demo-openrc的环境变量脚本文件。
~]# . demo-openrc
(2) 创建密钥对,并添加一个公钥
~]# ssh-keygen -q -N ""

~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
+-------------+-------------------------------------------------+
| Field       | Value                                           |
+-------------+-------------------------------------------------+
| fingerprint | 6c:f0:d8:7b:eb:6b:c3:66:77:49:51:7b:f3:0a:1c:22 |
| name        | mykey                                           |
| user_id     | 987e3ca1748d473d8d658f5f34d1ad39                |
+-------------+-------------------------------------------------+

(3) 查看密钥对

~]# openstack keypair list
+-------+-------------------------------------------------+
| Name  | Fingerprint                                     |
+-------+-------------------------------------------------+
| mykey | 6c:f0:d8:7b:eb:6b:c3:66:77:49:51:7b:f3:0a:1c:22 |
+-------+-------------------------------------------------+

4. 管理安全组规则

类似于操作系统的防火墙,默认对所有实例使用default安全组规则。对于cirros系统来讲,我们至少要开启ICMP (ping)和secure shell (SSH)。
(1) 在default安全组中设定允许ping

~]# openstack security group rule create --proto icmp default
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | 2018-02-12T01:53:48Z                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv4                                 |
| id                | 1f0f98e7-8d3d-445d-84fa-0f905598dc4e |
| name              | None                                 |
| port_range_max    | None                                 |
| port_range_min    | None                                 |
| project_id        | da335b54c90a41c69c95883a8c265c32     |
| protocol          | icmp                                 |
| remote_group_id   | None                                 |
| remote_ip_prefix  | 0.0.0.0/0                            |
| revision_number   | 0                                    |
| security_group_id | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| updated_at        | 2018-02-12T01:53:48Z                 |
+-------------------+--------------------------------------+

(2) 在default安全组中设定允许SSH

~]# openstack security group rule create --proto tcp --dst-port 22 default
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| created_at        | 2018-02-12T01:54:13Z                 |
| description       |                                      |
| direction         | ingress                              |
| ether_type        | IPv4                                 |
| id                | 749738f6-5695-4c7b-a92c-e1cc96b2e271 |
| name              | None                                 |
| port_range_max    | 22                                   |
| port_range_min    | 22                                   |
| project_id        | da335b54c90a41c69c95883a8c265c32     |
| protocol          | tcp                                  |
| remote_group_id   | None                                 |
| remote_ip_prefix  | 0.0.0.0/0                            |
| revision_number   | 0                                    |
| security_group_id | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| updated_at        | 2018-02-12T01:54:13Z                 |
+-------------------+--------------------------------------+

(3) 查看已有的安全组规则

~]# openstack security group rule list
+--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+
| ID                                   | IP Protocol | IP Range  | Port Range | Remote Security Group                | Security Group                       |
+--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+
| 0cc42761-ec75-486f-99f1-9ed3a9672df0 | None        | None      |            | None                                 | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| 1f0f98e7-8d3d-445d-84fa-0f905598dc4e | icmp        | 0.0.0.0/0 |            | None                                 | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| 6d835457-8407-4445-bd76-b4956eafd32d | None        | None      |            | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| 749738f6-5695-4c7b-a92c-e1cc96b2e271 | tcp         | 0.0.0.0/0 | 22:22      | None                                 | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| 80b1d692-6b83-4bfb-a5d6-bb163f92274e | None        | None      |            | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
| 9d28f8dd-47ec-46a7-95b0-973d8fc9801e | None        | None      |            | None                                 | 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 |
+--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+

5. 启动虚拟机

a. 在Provider虚拟网络环境下启动一个虚拟机

(1) 确定虚拟机实例选项

  • 读取demo-openrc环境变量脚本文件
    ~]# . demo-openrc
  • 列出现有的flavor
~]# openstack flavor list
+----+---------+-----+------+-----------+-------+-----------+
| ID | Name    | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+---------+-----+------+-----------+-------+-----------+
| 0  | m1.nano |  64 |    1 |         0 |     1 | True      |
+----+---------+-----+------+-----------+-------+-----------+
  • 列出现有的镜像文件
~]# openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| 536da1ed-6f9e-4273-abb2-529e4c212c98 | cirros | active |
+--------------------------------------+--------+--------+
  • 列出现有的网络
~]# openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID                                   | Name     | Subnets                              |
+--------------------------------------+----------+--------------------------------------+
| 8494999d-5736-4ca6-a9c1-1b10bf0e62f1 | provider | 51b142cf-4d4c-4069-b8b3-1800c2130902 |
+--------------------------------------+----------+--------------------------------------+
  • 列出现有的安全组
~]# openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+
| ID                                   | Name    | Description            | Project                          |
+--------------------------------------+---------+------------------------+----------------------------------+
| 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 | default | Default security group | da335b54c90a41c69c95883a8c265c32 |
+--------------------------------------+---------+------------------------+----------------------------------+

(2) 启动虚拟机实例

  • 启动一个虚拟机实例provider-instance
~]# openstack server create --flavor m1.nano --image cirros \
  --nic net-id=8494999d-5736-4ca6-a9c1-1b10bf0e62f1 --security-group default \
  --key-name mykey provider-instance
+-----------------------------+-----------------------------------------------+
| Field                       | Value                                         |
+-----------------------------+-----------------------------------------------+
| OS-DCF:diskConfig           | MANUAL                                        |
| OS-EXT-AZ:availability_zone |                                               |
| OS-EXT-STS:power_state      | NOSTATE                                       |
| OS-EXT-STS:task_state       | scheduling                                    |
| OS-EXT-STS:vm_state         | building                                      |
| OS-SRV-USG:launched_at      | None                                          |
| OS-SRV-USG:terminated_at    | None                                          |
| accessIPv4                  |                                               |
| accessIPv6                  |                                               |
| addresses                   |                                               |
| adminPass                   | Hh4LTXrWmR9s                                  |
| config_drive                |                                               |
| created                     | 2018-02-12T02:48:12Z                          |
| flavor                      | m1.nano (0)                                   |
| hostId                      |                                               |
| id                          | b4bbadb4-c913-4539-a2dc-ec8521a75782          |
| image                       | cirros (536da1ed-6f9e-4273-abb2-529e4c212c98) |
| key_name                    | mykey                                         |
| name                        | provider-instance                             |
| progress                    | 0                                             |
| project_id                  | da335b54c90a41c69c95883a8c265c32              |
| properties                  |                                               |
| security_groups             | name='8eb18d15-4eb7-4c71-9de0-3c0f57913bc8'   |
| status                      | BUILD                                         |
| updated                     | 2018-02-12T02:48:12Z                          |
| user_id                     | 987e3ca1748d473d8d658f5f34d1ad39              |
| volumes_attached            |                                               |
+-----------------------------+-----------------------------------------------+
  • 查看虚拟机实例状态
~]# openstack server list
+--------------------------------------+-------------------+--------+----------------------+--------+---------+
| ID                                   | Name              | Status | Networks             | Image  | Flavor  |
+--------------------------------------+-------------------+--------+----------------------+--------+---------+
| b4bbadb4-c913-4539-a2dc-ec8521a75782 | provider-instance | ACTIVE | provider=10.6.11.108 | cirros | m1.nano |
+--------------------------------------+-------------------+--------+----------------------+--------+---------+

(3) 基于虚拟终端访问虚拟机实例

  • 获取虚拟机provider-instance的VNC会话URL
~]# openstack console url show provider-instance
+-------+---------------------------------------------------------------------------------+
| Field | Value                                                                           |
+-------+---------------------------------------------------------------------------------+
| type  | novnc                                                                           |
| url   | http://controller:6080/vnc_auto.html?token=18486826-9a6c-42c5-a2dc-4163e8571541 |
+-------+---------------------------------------------------------------------------------+
  • 访问虚拟机实例provider-instance

该步骤遇到错误,具体情况如下:
问题1
provider-instance显示获取了IP地址为10.6.11.108,但是在controller节点无法ping通;
通过dashboard想访问该实例的控制台,提示“ fails to connect ot server (code: 1006) ”
处理:
后来经排障查找,发现是由于compute1节点的selinux和firewalld服务未关闭导致,关闭后恢复正常。
问题2
控制台可以正常连接之后,启动虚拟机实例发现在控制台里系统并没有启动,一直卡在 cirros booting from harddisk... GRUB的黑屏界面无法继续。
处理:
~]# vim /etc/nova/nova.conf

[libvirt]
hw_machine_type = x86_64=pc-i440fx-rhel7.2.0

重启compute1节点后,cirros系统可以正常启动,并通过终端登录系统了。

b. 在Self-Service虚拟网络环境下启动一个虚拟机

(1) 在Controller节点读取demo-openrc环境变量脚本文件
~]# . demo-openrc
(2) 列出现有的flavor

~]# openstack flavor list
+----+-----------+------+------+-----------+-------+-----------+
| ID | Name      |  RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+-----------+------+------+-----------+-------+-----------+
| 0  | m1.nano   |   64 |    1 |         0 |     1 | True      |
| 1  | m1.medium | 4096 |   70 |         0 |     4 | True      |
+----+-----------+------+------+-----------+-------+-----------+

(3) 列出现有的image

~]# openstack image list
+--------------------------------------+----------------------+--------+
| ID                                   | Name                 | Status |
+--------------------------------------+----------------------+--------+
| 51fd6dd6-54a4-4998-a0ee-12420704dcbb | Windows 7 x86_64 SP1 | active |
| 536da1ed-6f9e-4273-abb2-529e4c212c98 | cirros               | active |
| 9e44b5d6-174d-4155-8d96-bc00e1a09c81 | cirros-0.3.0         | active |
+--------------------------------------+----------------------+--------+

(4) 列出现有的网络

~]# openstack network list
+--------------------------------------+-------------+--------------------------------------+
| ID                                   | Name        | Subnets                              |
+--------------------------------------+-------------+--------------------------------------+
| 3c54c8fe-41b5-4691-aac4-ae6e2436cae2 | provider    | 67229772-925c-4471-a7a7-901580ace1ae |
| 732b888f-b4e9-4eae-ad82-c93b51a67080 | selfservice | bff97960-ede3-440a-85dc-3c1399289b76 |
+--------------------------------------+-------------+--------------------------------------+

(5) 列出现有的安全组

~]# openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+
| ID                                   | Name    | Description            | Project                          |
+--------------------------------------+---------+------------------------+----------------------------------+
| 8eb18d15-4eb7-4c71-9de0-3c0f57913bc8 | default | Default security group | da335b54c90a41c69c95883a8c265c32 |
+--------------------------------------+---------+------------------------+----------------------------------+

(6) 启动一个实例

~]# openstack server create --flavor m1.nano --image cirros \
  --nic net-id=732b888f-b4e9-4eae-ad82-c93b51a67080 --security-group default \
  --key-name mykey selfservice-instance
+-----------------------------+-----------------------------------------------+
| Field                       | Value                                         |
+-----------------------------+-----------------------------------------------+
| OS-DCF:diskConfig           | MANUAL                                        |
| OS-EXT-AZ:availability_zone |                                               |
| OS-EXT-STS:power_state      | NOSTATE                                       |
| OS-EXT-STS:task_state       | scheduling                                    |
| OS-EXT-STS:vm_state         | building                                      |
| OS-SRV-USG:launched_at      | None                                          |
| OS-SRV-USG:terminated_at    | None                                          |
| accessIPv4                  |                                               |
| accessIPv6                  |                                               |
| addresses                   |                                               |
| adminPass                   | ekiRM3QRnVdS                                  |
| config_drive                |                                               |
| created                     | 2018-02-14T02:17:28Z                          |
| flavor                      | m1.nano (0)                                   |
| hostId                      |                                               |
| id                          | 0da11449-9357-4bd0-bea5-564779e43fe3          |
| image                       | cirros (536da1ed-6f9e-4273-abb2-529e4c212c98) |
| key_name                    | mykey                                         |
| name                        | selfservice-instance                          |
| progress                    | 0                                             |
| project_id                  | da335b54c90a41c69c95883a8c265c32              |
| properties                  |                                               |
| security_groups             | name='8eb18d15-4eb7-4c71-9de0-3c0f57913bc8'   |
| status                      | BUILD                                         |
| updated                     | 2018-02-14T02:17:28Z                          |
| user_id                     | 987e3ca1748d473d8d658f5f34d1ad39              |
| volumes_attached            |                                               |
+-----------------------------+-----------------------------------------------+

(7) 查看虚拟机实例状态

~]# openstack server list
+--------------------------------------+----------------------+--------+-------------------------+--------+---------+
| ID                                   | Name                 | Status | Networks                | Image  | Flavor  |
+--------------------------------------+----------------------+--------+-------------------------+--------+---------+
| 0da11449-9357-4bd0-bea5-564779e43fe3 | selfservice-instance | ACTIVE | selfservice=172.20.0.11 | cirros | m1.nano |
| 4541dfcc-df61-4e4e-8405-be835bd80c67 | 1                    | ACTIVE | provider=10.6.11.102    |        | m1.nano |
+--------------------------------------+----------------------+--------+-------------------------+--------+---------+

(8) 使用虚拟终端访问虚拟机实例

  • 获取session URL
~]# openstack console url show selfservice-instance
+-------+---------------------------------------------------------------------------------+
| Field | Value                                                                           |
+-------+---------------------------------------------------------------------------------+
| type  | novnc                                                                           |
| url   | http://controller:6080/vnc_auto.html?token=3bd17f94-3a60-4e1f-902e-6e678040ff20 |
+-------+---------------------------------------------------------------------------------+
  • 从虚拟机实例发出ping操作,测试与self-service网关的连通性
$ ping -c 4 172.20.0.1
PING 172.20.0.1 (172.20.0.1): 56 data bytes
64 bytes from 172.20.0.1: seq=0 ttl=64 time=0.514 ms
64 bytes from 172.20.0.1: seq=1 ttl=64 time=0.658 ms
64 bytes from 172.20.0.1: seq=2 ttl=64 time=0.615 ms
64 bytes from 172.20.0.1: seq=3 ttl=64 time=0.707 ms

--- 172.20.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.514/0.623/0.707 ms
  • 测试虚拟机实例与外网的连通性
$ ping -c 4 www.baidu.com
PING www.baidu.com (119.75.216.20): 56 data bytes
64 bytes from 119.75.216.20: seq=0 ttl=54 time=3.349 ms
64 bytes from 119.75.216.20: seq=1 ttl=54 time=3.717 ms
64 bytes from 119.75.216.20: seq=2 ttl=54 time=3.839 ms
64 bytes from 119.75.216.20: seq=3 ttl=54 time=3.870 ms

--- www.baidu.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3.349/3.693/3.870 ms

(9) 从外部访问虚拟机实例

  • 在provider网络中创建floating IP address
~]# openstack floating ip create provider
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| created_at          | 2018-02-14T02:37:44Z                 |
| description         |                                      |
| fixed_ip_address    | None                                 |
| floating_ip_address | 10.6.11.105                          |
| floating_network_id | 3c54c8fe-41b5-4691-aac4-ae6e2436cae2 |
| id                  | bc3e745b-a144-404c-a5c7-95d4cb0a32b6 |
| name                | 10.6.11.105                          |
| port_id             | None                                 |
| project_id          | da335b54c90a41c69c95883a8c265c32     |
| revision_number     | 0                                    |
| router_id           | None                                 |
| status              | DOWN                                 |
| updated_at          | 2018-02-14T02:37:44Z                 |
+---------------------+--------------------------------------+
  • 为selfservice-instance虚拟机实例关联floating IP
~]# openstack server add floating ip selfservice-instance 10.6.11.105
此步骤的IP地址是上一部创建floating IP是选出来的,不能任意自己决定
  • 检查虚拟机实例的floating IP的状态
~]# openstack server list
+--------------------------------------+----------------------+--------+--------------------------------------+--------+---------+
| ID                                   | Name                 | Status | Networks                             | Image  | Flavor  |
+--------------------------------------+----------------------+--------+--------------------------------------+--------+---------+
| 0da11449-9357-4bd0-bea5-564779e43fe3 | selfservice-instance | ACTIVE | selfservice=172.20.0.11, 10.6.11.105 | cirros | m1.nano |
| 4541dfcc-df61-4e4e-8405-be835bd80c67 | 1                    | ACTIVE | provider=10.6.11.102                 |        | m1.nano |
+--------------------------------------+----------------------+--------+--------------------------------------+--------+---------+
  • 从controller节点ping虚拟机实例的floating IP
~]# ping -c 4 10.6.11.105
PING 10.6.11.105 (10.6.11.105) 56(84) bytes of data.
64 bytes from 10.6.11.105: icmp_seq=1 ttl=62 time=1.01 ms
64 bytes from 10.6.11.105: icmp_seq=2 ttl=62 time=1.00 ms
64 bytes from 10.6.11.105: icmp_seq=3 ttl=62 time=1.35 ms
64 bytes from 10.6.11.105: icmp_seq=4 ttl=62 time=1.02 ms

--- 10.6.11.105 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 1.005/1.099/1.353/0.150 ms
  • 通过SSH连接虚拟机实例的floating IP
ssh [email protected]
The authenticity of host '10.6.11.105 (10.6.11.105)' can't be established.
RSA key fingerprint is SHA256:K2XyoJZv+bZVVPdNnagAXRyA4+8VOpW2lzEnnhWvjo4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.6.11.105' (RSA) to the list of known hosts.
[email protected]'s password:
$

你可能感兴趣的:(Controller节点的安装及配置)