cloud:
IaaS(Infrastructure as a Service),基础设施即服务
openstack、cloudstack
PaaS(Platform-as-a-Service),平台即服务
docker
SaaS(Software-as-a-Service),软件即服务
云计算之openstack
云的愿景:使用计算资源使用网络资源像使用自来水一样按需自由有偿。
云计算是一种按使用量付费的模式,这种模式提供可用的、便捷的、按需的网络访问,进入可配置的计算资源共享池(资源包括网络,服务器,存储,应用软件,服务),这些资源能够被快速提供,只需投入很少的管理工作,或与服务提供商进行很少的交互。
用途分类:
私有云:侧重点:兼容性、安全性、定制化
公有云:侧重点:容量、弹性、成本
混合云
供给角度分类:
IAAS基础设施即服务 厂家代表:腾讯云 阿里云 AWS
PAAS平台即服务 厂家代表:新浪云
SAAS软件即服务 厂家代表:微软云-office365
云平台管理选择标准:
1、API接口的广泛性
2、使用何种的开源协议进行编写
3、平台的成熟度
openstack版本选择:Juno
组件说明:
nova:计算服务,compute
glance:镜像服务,image service
swift:对象存储,object storage
cinder:块存储,block storage
neutron:网络服务,networking
horizon:仪表板,dashboard
keystone:认证服务,identity service
heat:编排,orchestration
ceilometer:监控,telemetry
trove:数据库服务,database service
sahara:数据处理,data processing
安装结构说明:
操作系统:centos 7
openstack版本:juno
关闭防火墙和selinux
资源配置情况:
controller node:1cpu、1GB、1网卡(管理网络)、100GB
compute node:尽量多cpu、尽量多内存、2网卡(管理网络、实例网络)、100GB
network node:2cpu、2GB、3网卡(管理网络、实例网络、外部网络)、20GB系统盘
block node:2cpu、1.5GB、1网卡(管理网络)、20GB系统盘、100GB
系统初始化部署:
1、关闭防火墙和selinux、NetworkManager
# systemctl stop firewalld NetworkManager
# systemctl disable firewalld NetworkManager
# vim /etc/selinux/config
SELINUX=disabled
2、设置主机名、dns解析、时间同步
测试环境规划如下:
controller.nice.com 192.168.222.5
network.nice.com 192.168.222.6
compute1.nice.com 192.168.222.10
block1.nice.com 192.168.222.20
# hostnamectl set-hostname XXXX
# vim /etc/hosts
192.168.222.5 controller.nice.com
192.168.222.6 network.nice.com
192.168.222.10 compute1.nice.com
192.168.222.20 block1.nice.com
# yum install chrony -y
# systemctl start chronyd
# systemctl enable chronyd
3、安装yum-plugin-priorities、epel源、openstack源
# yum install yum-plugin-priorities epel-release -y
# vim /etc/yum.repos.d/openstack.repo
[openstack-juno]
name=openstack-juno
baseurl=https://repos.fedorapeople.org/repos/openstack/EOL/openstack-juno/epel-7/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
4、更新系统并重启
# yum update -y && reboot
各组件安装:
一、keystone(认证服务):是openstack identity service的项目名称,是一个负责身份管理与授权的组件;其主要功能:实现用户的身份认证,基于角色的权限管理,及openstack其他组件的访问地址和安全策略管理。
在controller节点配置:
1、数据库:mariadb软件包 注意:生产环境中,应该独立做mysql集群
# yum install mariadb mariadb-server MySQL-python -y
# vim /etc/my.cnf 添加
[mysqld]
bind-address=192.168.222.5
default-storage=innodb
innodb_file_per_table
collation-server=utf8_general_ci
init-connect='SET NAMES utf8'
character-set-server=utf8
# systemctl start mariadb
# systemctl enable mariadb
# mysql_secure_installation
2、消息队列:rabbitmq 注意:生产环境中,应该独立做rabbitmq集群
# yum install rabbitmq-server -y
# systemctl start rabbitmq-server
# systemctl enable rabbitmq-server
# rabbitmqctl change_password guest guest123 修改默认的guest用户密码为guest123
3、时间同步服务器
# vim /etc/chrony.conf
allow 192.168.222.0/24
# systemctl restart chronyd
4、keystone数据库
# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone123';
# openssl rand -hex 10 创建随机值作为管理员的token
275d75ff789937d7003d
# yum install openstack-keystone python-keystoneclient -y
# vim /etc/keystone/keystone.conf 修改如下参数
[DEFAULT] 定义管理员令牌
admin_token=275d75ff789937d7003d
[database] 配置数据库访问
connection=mysql://keystone:[email protected]/keystone
[token] 配置UUID提供者和SQL驱动
provider=keystone.token.providers.uuid.Provider
driver=keystone.token.persistence.backends.sql.Token
verbose=True 开启详细日志,协助故障排查
# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone 设置用户和组都为keystone
# chown -R keystone:keystone /var/log/keystone
# chown -R keystone:keystone /etc/keystone/ssl
# chmod -R o-rwx /etc/keystone/ssl
# su -s /bin/sh -c "keystone-manage db_sync" keystone 初始化keystone数据库
# mysql -uroot -p -e "show tables from keystone;" 验证keystone数据库
# systemctl start openstack-keystone
# systemctl enable openstack-keystone
# (crontab -l -u keystone 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone 每小时定时删除过期的token
# crontab -l -ukeystone 验证计划任务
@hourly /usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1
5、创建租户、用户和角色
# export OS_SERVICE_TOKEN=275d75ff789937d7003d
# export OS_SERVICE_ENDPOINT=http://controller.nice.com:35357/v2.0
a、创建admin租户
# keystone tenant-create --name admin --description "Admin Tenant"
b、创建admin用户
# keystone user-create --name admin --pass admin123
c、创建admin角色
# keystone role-create --name admin
d、链接admin租户和用户到admin角色
# keystone user-role-add --tenant admin --user admin --role admin
e、创建用于dashboard访问的“_member_”角色
# keystone role-create --name _member_
f、链接admin租户和用户到_member_角色
# keystone user-role-add --tenant admin --user admin --role _member_
g、创建service租户
# keystone tenant-create --name service --description "Service Tenant"
创建一个用于演示的demo租户和用户
# keystone tenant-create --name demo --description "Demo Tenant"
# keystone user-create --name demo --pass demo123
# keystone user-role-add --tenant demo --user demo --role _member_
创建服务实体和API端点
1、为identity服务创建一个服务实体
# keystone service-create --name keystone --type identity --description "OpenStack Identity"
2、为identity服务创建三个API端点:admin(管理)、internal(内部)、public(公共);
# keystone endpoint-create --service-id $(keystone service-list | awk '/ identity / {print $2}') --publicurl http://controller.nice.com:5000/v2.0 --internalurl http://controller.nice.com:5000/v2.0 --adminurl http://controller.nice.com:35357/v2.0 --region regionOne
确认操作
1、删除临时变量 OS_SERVICE_TOKEN、OS_SERVICE_ENDPOINT
# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
2、使用admin租户和用户请求认证令牌
# keystone --os-tenant-name admin --os-username admin --os-password admin123 --os-auth-url http://controller.nice.com:35357/v2.0 token-get
3、以admin租户和用户的身份查看租户列表
# keystone --os-tenant-name admin --os-username admin --os-password admin123 --os-auth-url http://controller.nice.com:35357/v2.0 tenant-list
4、以admin租户和用户的身份查看用户列表
# keystone --os-tenant-name admin --os-username admin --os-password admin123 --os-auth-url http://controller.nice.com:35357/v2.0 user-list
5、以admin租户和用户的身份查看角色列表
# keystone --os-tenant-name admin --os-username admin --os-password admin123 --os-auth-url http://controller.nice.com:35357/v2.0 role-list
6、以demo租户和用户的身份请求认证令牌
# keystone --os-tenant-name demo --os-username demo --os-password demo123 --os-auth-url http://controller.nice.com:35357/v2.0 token-get
7、以demo租户和用户的身份查看用户列表
# keystone --os-tenant-name demo --os-username demo --os-password demo123 --os-auth-url http://controller.nice.com:35357/v2.0 user-list
创建openstack客户端环境脚本(避免重复输入租户账号密码等信息)
1、admin用户的环境脚本
# vim admin-openrc.sh
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin123
export OS_AUTH_URL=http://controller.nice.com:35357/v2.0
# source admin-openrc.sh
2、demo用户的环境脚本
# vim demo-openrc.sh
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo123
export OS_AUTH_URL=http://controller.nice.com:5000/v2.0
# source admin-openrc.sh
在controller节点验证
# keystone tenant-list
二、glance(镜像服务):使用户能够发现、注册并检索虚拟机镜像(.img文件),提供了一个REST API接口,使用户可以查询虚拟机镜像元数据和检索一个实际的镜像文件,默认虚拟机镜像存储路径为/var/lib/glance/images/
在controller节点配置:
1、glance数据库
# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE glance;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance123';
2、启动管理员admin脚本
# source admin-openrc.sh
3、创建认证用户凭证
a、创建glance用户
# keystone user-create --name glance --pass glance123
b、将glance用户链接到service租户和admin角色
# keystone user-role-add --user glance --tenant service --role admin
c、创建glance服务
# keystone service-create --name glance --type image --description "OpenStack Image service"
4、为openstack镜像服务创建认证服务端点
keystone endpoint-create --service-id $(keystone service-list | awk '/ image / {print $2}') --publicurl http://controller.nice.com:9292 --internalurl http://controller.nice.com:9292 --adminurl http://controller.nice.com:9292 --region regionOne
安装并配置镜像服务组件
# yum install openstack-glance python-glance -y
# vim /etc/glance/glance-api.conf
[DEFAULT]
verbose=True
[database]
connection=mysql://glance:[email protected]/glance
[keystone_authtoken]
auth_host=controller.nice.com
auth_port=35357
auth_protocol=http
admin_tenant_name=service
admin_user=glance
admin_password=glance123
auth_uri=http://controller.nice.com:5000
[paste_deploy]
flavor=keystone
# vim /etc/glance/glance-registry.conf
[DEFAULT]
verbose=True
[database]
connection=mysql://glance:[email protected]/glance
[keystone_authtoken]
auth_host=controller.nice.com
auth_port=35357
auth_protocol=http
admin_tenant_name=service
admin_user=glance
admin_password=glance123
auth_uri=http://controller.nice.com:5000
[paste_deploy]
flavor=keystone
[glance_store]
default_store=file
file_store_datadir=/var/lib/glance/images/
# su -s /bin/sh -c "glance-manage db_sync" glance 初始化镜像服务的数据库
# systemctl start openstack-glance-api openstack-glance-registry
# systemctl enable openstack-glance-api openstack-glance-registry
验证安装(使用cirros验证镜像服务是否安装成功)
# mkdir -pv /tmp/images
# cd /tmp/images
# wget http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-disk.img
# source /root/admin-openrc.sh
# glance image-create --name "cirros-0.3.3-x86_64" --file /tmp/images/cirros-0.3.3-x86_64-disk.img --disk-format qcow2 --container-format bare --is-public True --progress
# rm -rf /tmp/images
在controller节点验证
# glance image-list
三、nova(云计算服务):提供虚拟化管理服务。
在controller节点配置:
配置先决条件
1、nova数据库
# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE nova;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova123';
2、执行admin环境脚本
# source admin-openrc.sh
3、在认证服务中创建计算服务的认证信息
a、创建nova用户
# keystone user-create --name nova --pass nova123
b、链接nova到service租户和admin角色
# keystone user-role-add --tenant service --role admin --user nova
c、创建nova服务
# keystone service-create --name nova --type compute --description "OpenStack Compute"
d、创建计算机服务端点
# keystone endpoint-create --service-id $(keystone service-list | awk '/ compute / {print $2}') --publicurl http://controller.nice.com:8774/v2/%\(tenant_id\)s --internalurl http://controller.nice.com:8774/v2/%\(tenant_id\)s --adminurl http://controller.nice.com:8774/v2/%\(tenant_id\)s --region regionOne
安装和配置计算控制组件
# yum install openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient -y
# vim /etc/nova/nova.conf
[DEFAULT] 配置rabbit消息队列访问
rabbit_host=controller.nice.com
rabbit_password=guest123
rpc_backend=rabbit
auth_strategy=keystone
my_ip=192.168.222.5 controller节点的管理接口IP
vncserver_listen=192.168.222.5
vncserver_proxyclient_address=192.168.222.5
verbose=True
[keystone_authtoken] 配置认证服务
auth_uri=http://controller.nice.com:5000/v2.0
identity_uri=http://controller.nice.com:35357
admin_user=nova
admin_password=nova123
admin_tenant_name=service
[glance]
host=controller.nice.com
[database]
connection=mysql://nova:[email protected]/nova 配置数据库访问
# su -s /bin/sh -c "nova-manage db sync" nova 初始化nova数据库
# systemctl start openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-consoleauth openstack-nova-novncproxy openstack-nova-scheduler
# systemctl enable openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-consoleauth openstack-nova-novncproxy openstack-nova-scheduler
在compute节点配置:
同controller,进行系统初始化部署(包含主机名、时间同步、yum repo等等)
安装配置nova
# yum install openstack-nova-compute sysfsutils -y
# vim /etc/nova/nova.conf
[DEFAULT] 配置rabbit消息队列访问
rabbit_host=controller.nice.com
rabbit_password=guest123
rpc_backend=rabbit
auth_strategy=keystone
my_ip=192.168.222.10 compute节点的管理接口IP
vnc_enabled=true
vncserver_listen=0.0.0.0
vncserver_proxyclient_address=192.168.222.10
novncproxy_base_url=http://controller.nice.com:6080/vnc_auto.html
verbose=True
[keystone_authtoken] 配置认证服务
auth_uri=http://controller.nice.com:5000/v2.0
identity_uri=http://controller.nice.com:35357
admin_user=nova
admin_password=nova123
admin_tenant_name=service
[glance]
host=controller.nice.com
# egrep -c '(svm|vmx)' /proc/cpuinfo 确认是否支持硬件虚拟化,返回值为1,表示支持;如设置不支持硬件虚拟化,则需设置nova.conf中的virt_type=qemu
# systemctl enable libvirtd openstack-nova-compute
# systemctl start libvirtd
# systemctl start openstack-nova-compute
在controller节点验证
# source admin-openrc.sh
# nova service-list
# nova image-list
四、neutron(网络服务)
在controller节点配置:
1、neutron数据库
# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE neutron;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron123';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron123';
2、执行admin环境变量脚本
# source admin-openrc.sh
3、在认证服务中创建网络服务的认证信息
a、创建neutron用户
# keystone user-create --name neutron --pass neutron123
b、链接neutron用户到service租户和admin角色
# keystone user-role-add --tenant service --role admin --user neutron
c、创建neutron服务
# keystone service-create --name neutron --type network --description "OpenStack Networking"
d、创建neutron服务端点
# keystone endpoint-create --service-id $(keystone service-list | awk '/ network / {print $2}') --publicurl http://controller.nice.com:9696 --internalurl http://controller.nice.com:9696 --adminurl http://controller.nice.com:9696 --region regionOne
安装、配置网络服务组件
问题:python-neutron与python2-eventlet冲突:
Error: python-neutron conflicts with python2-eventlet-0.18.4-1.el7.noarch
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
解决办法:
1、卸载原来的python2-eventlet包
# rpm -e --nodeps python2-eventlet
2、安装juno源中的python-eventlet包(版本0.15.2-1.el7)
# yum --disablerepo=epel install python-eventlet -y
# yum install openstack-neutron openstack-neutron-ml2 python-neutronclient which -y
配置网络服务组件
# vim /etc/neutron/neutron.conf
a、编辑[database]小节,配置数据库访问
[database]
connection = mysql://neutron:[email protected]/neutron
b、编辑[DEFAULT]小节,配置rabbitmq消息队列访问
[DEFAULT]
rabbit_host=controller.nice.com
rabbit_password=guest123
rpc_backend=rabbit
c、编辑[DEFAULT]和[keystone_authtoken]小节,配置认证服务访问
[DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
auth_uri = http://controller.nice.com:5000/v2.0
identity_uri = http://controller.nice.com:35357
admin_tenant_name = service
admin_user = neutron
admin_password = neutron123
d、编辑[DEFAULT]小节,启用modular layer2(ML2)插件,路由服务和重叠IP地址功能
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
e、编辑[DEFAULT]小节,配置当前网络拓扑结构发生变化时通知计算服务
[DEFAULT]
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://controller.nice.com:8774/v2
nova_admin_auth_url = http://controller.nice.com:35357/v2.0
nova_region_name = regionOne
nova_admin_username = neutron
nova_admin_tenant_id = 1b7db191c0294649b94bae666a7459fd 此处tenant_id可通过# keystone tenant-get service获取
nova_admin_password = neutron123
f、开启日志详细输出
[DEFAULT]
verbose = True
配置modular layer2(ML2)plug-in
# vim /etc/neutron/plugins/ml2/ml2_conf.ini
a、编辑[ml2]小节,启用flat和gre网络类型驱动,配置gre租户网络和ovs驱动机制
[ml2]
type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch
b、编辑[ml2_type_gre],配置隧道标识范围
[ml2_type_gre]
tunnel_id_ranges = 1:1000
c、编辑[securitygroup]小节,启用安全组,启用ipset并配置ovs防火墙驱动
[securitygroup]
enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
配置计算服务使用neutron,默认使用传统网络,所以需要重新配置
# vim /etc/nova/nova.conf
a、编辑[DEFAULT]小节,配置api接口和驱动程序
[DEFAULT]
network_api_class=nova.network.neutronv2.api.API
security_group_api=neutron
linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
b、编辑[neutron]小节,配置访问参数
[neutron]
url=http://controller.nice.com:9696
auth_strategy=keystone
admin_auth_url=http://controller.nice.com:35357/v2.0
admin_tenant_name=service
admin_username=neutron
admin_password=neutron123
完成配置
1、为ml2插件配置文件创建链接文件
# ln -sv /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2、初始化数据库
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade juno" neutron
3、重新启动计算服务
# systemctl restart openstack-nova-api openstack-nova-scheduler openstack-nova-conductor
4、启动网络服务并配置开机自动启动
# systemctl enable neutron-server
# systemctl start neutron-server
在controller节点验证
1、执行admin环境变量脚本
# source admin-openrc.sh
2、列出加载的扩展模块,确认成功启动neutron-server进程
# neutron ext-list
在network节点操作:安装并配置network节点
配置先觉条件
1、开启内核参数
# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
2、使更改生效
# sysctl -p
安装配置网络组件
问题:python-neutron与python2-eventlet冲突:
Error: python-neutron conflicts with python2-eventlet-0.18.4-1.el7.noarch
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
解决办法:
1、卸载原来的python2-eventlet包
# rpm -e --nodeps python2-eventlet
2、安装juno源中的python-eventlet包(版本0.15.2-1.el7)
# yum --disablerepo=epel install python-eventlet -y
# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch -y
# vim /etc/neutron/neutron.conf
a、编辑[database]小节,注释任何connection选项,因为network节点不能直接连接数据库。
b、编辑[DEFAULT]小节,配置rabbitmq消息队列访问
[DEFAULT]
rabbit_host=controller.nice.com
rabbit_password=guest123
rpc_backend=rabbit
c、编辑[DEFAULT]和[keystone_authtoken]小节,配置认证服务访问
[DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
auth_uri = http://controller.nice.com:5000/v2.0
identity_uri = http://controller.nice.com:35357
admin_tenant_name = service
admin_user = neutron
admin_password = neutron123
d、编辑[DEFAULT]小节,启用modular layer2(ML2)插件,路由服务和重叠IP地址功能
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
e、开启日志详细输出
[DEFAULT]
verbose = True
配置modular layer2(ML2)plug-in
# vim /etc/neutron/plugins/ml2/ml2_conf.ini
a、编辑[ml2]小节,启用flat和gre网络类型驱动,配置gre租户网络和ovs驱动机制
[ml2]
type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch
b、编辑[ml2_type_flat],配置外部网络
[ml2_type_flat]
flat_networks = external
c、编辑[ml2_type_gre],配置隧道标识范围
[ml2_type_gre]
tunnel_id_ranges = 1:1000
d、编辑[securitygroup]小节,启用安全组,启用ipset并配置ovs防火墙驱动
[securitygroup]
enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
e、编辑[ovs],配置open vswitch(ovs)代理
[ovs]
local_ip = 172.16.0.6 network节点的内部实例网络ip
tunnel_type = gre
enable_tunneling = True
bridge_mappings = external:br-ex 规范外部网桥名为br-ex
配置layer-3(L3)agent
# vim /etc/neutron/l3_agent.ini
a、在[DEFAULT]小节,开启debug日志输出
[DEFAULT]
debug = True
b、编辑[DEFAULT]小节,配置驱动,启用网络命名空间,配置外部网络桥接
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True
external_network_bridge = br-ex
配置dhcp agent
1、必选
# vim /etc/neutron/dhcp_agent.ini
a、在[DEFAULT]小节,开启debug日志输出
[DEFAULT]
debug = True
b、编辑[DEFAULT]小节,配置驱动和启用命名空间
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
use_namespaces = True
2、(可选,在vmware虚拟机中必选)配置dhcp选项,将mtu改为1454bytes,以改善网络性能。
a、编辑/etc/neutron/dhcp_agent.ini,在[DEFAULT],启用dnsmasq配置
[DEFAULT]
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
b、创建并编辑/etc/neutron/dnsmasq-neutron.conf文件
# vim /etc/neutron/dnsmasq-neutron.conf
dhcp-option-force=26,1454
user=neutron
group=neutron
c、终止任何已经存在的dnsmasq进程
# pkill dnsmasq
配置metadata agent
1、# vim /etc/neutron/metadata_agent.ini
a、编辑[DEFAULT]小节,配置访问参数
[DEFAULT]
auth_url = http://controller.nice.com:5000/v2.0
auth_region = RegionOne
admin_tenant_name = service
admin_user = neutron
admin_password = neutron123
b、编辑[DEFAULT]小节,配置元数据主机
[DEFAULT]
nova_metadata_ip = controller.nice.com
c、编辑[DEFAULT]小节,配置元数据代理共享机密暗号
[DEFAULT]
metadata_proxy_shared_secret = openstack-juno 此处暗号自行设置
d、开启debug日志,(可选)
[DEFAULT]
debug = True
2、在controller节点,启用元数据代理并配置机密暗号
# vim /etc/nova/nova.conf
[neutron]
service_metadata_proxy=True
metadata_proxy_shared_secret=openstack-juno
3、在controller节点,重新启动compute api服务
# systemctl restart openstack-nova-api
配置open vswitch(ovs)服务
1、启用ovs服务并设置开机自动启动
# systemctl start openvswitch
# systemctl enable openvswitch
2、添加配置所需的外部网桥br-ex
# ovs-vsctl add-br br-ex
3、添加一个端口到外部网桥,用于连接外部物理网络。
# ovs-vsctl add-port br-ex ens38 此处ens38需换成实际连接外部网卡接口名
完成安装
1、创建网络服务初始化脚本的符号连接
# ln -sv /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
# cp /usr/lib/systemd/system/neutron-openvswitch-agent.service /usr/lib/systemd/system/neutron-openvswitch-agent.service.orig
# sed -i 's@plugins/openvswitch/[email protected]@g' /usr/lib/systemd/system/neutron-openvswitch-agent.service
2、启动网络服务并设置开机自动启动
# systemctl enable neutron-openvswitch-agent neutron-l3-agent neutron-dhcp-agent neutron-metadata-agent neutron-ovs-cleanup
# systemctl start neutron-openvswitch-agent neutron-l3-agent neutron-dhcp-agent neutron-metadata-agent
验证(在controller节点)
# source admin-openrc.sh
# neutron agent-list
安装并配置compute1节点,如有多个compute节点都需执行
配置先觉条件
1、开启内核参数
# vim /etc/sysctl.conf
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
2、使更改生效
# sysctl -p
安装配置网络组件
问题:python-neutron与python2-eventlet冲突:
Error: python-neutron conflicts with python2-eventlet-0.18.4-1.el7.noarch
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
解决办法:
1、卸载原来的python2-eventlet包
# rpm -e --nodeps python2-eventlet
2、安装juno源中的python-eventlet包(版本0.15.2-1.el7)
# yum --disablerepo=epel install python-eventlet -y
# yum install openstack-neutron-ml2 openstack-neutron-openvswitch -y
# vim /etc/neutron/neutron.conf
a、编辑[database]小节,注释任何connection选项,因为network节点不能直接连接数据库。
b、编辑[DEFAULT]小节,配置rabbitmq消息队列访问
[DEFAULT]
rabbit_host=controller.nice.com
rabbit_password=guest123
rpc_backend=rabbit
c、编辑[DEFAULT]和[keystone_authtoken]小节,配置认证服务访问
[DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
auth_uri = http://controller.nice.com:5000/v2.0
identity_uri = http://controller.nice.com:35357
admin_tenant_name = service
admin_user = neutron
admin_password = neutron123
d、编辑[DEFAULT]小节,启用modular layer2(ML2)插件,路由服务和重叠IP地址功能
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
e、开启日志详细输出
[DEFAULT]
verbose = True
配置modular layer2(ML2)plug-in
# vim /etc/neutron/plugins/ml2/ml2_conf.ini
a、编辑[ml2]小节,启用flat和gre网络类型驱动,配置gre租户网络和ovs驱动机制
[ml2]
type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch
b、编辑[ml2_type_gre],配置隧道标识范围
[ml2_type_gre]
tunnel_id_ranges = 1:1000
c、编辑[securitygroup]小节,启用安全组,启用ipset并配置ovs防火墙驱动
[securitygroup]
enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
d、编辑[ovs],配置open vswitch(ovs)代理
[ovs]
local_ip = 172.16.0.10 compute1节点的内部实例网络ip
tunnel_type = gre
enable_tunneling = True
配置open vswitch(ovs)服务
启用ovs服务并设置开机自动启动
# systemctl start openvswitch
# systemctl enable openvswitch
配置计算服务使用网络
# vim /etc/nova/nova.conf
a、编辑[DEFAULT]小节,配置api接口和驱动程序
[DEFAULT]
network_api_class=nova.network.neutronv2.api.API
security_group_api=neutron
linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
b、编辑[neutron]小节,配置访问参数
[neutron]
url=http://controller.nice.com:9696
auth_strategy=keystone
admin_auth_url=http://controller.nice.com:35357/v2.0
admin_tenant_name=service
admin_username=neutron
admin_password=neutron123
完成安装
1、创建网络服务初始化脚本的符号连接
# ln -sv /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
# cp /usr/lib/systemd/system/neutron-openvswitch-agent.service /usr/lib/systemd/system/neutron-openvswitch-agent.service.orig
# sed -i 's@plugins/openvswitch/[email protected]@g' /usr/lib/systemd/system/neutron-openvswitch-agent.service
2、重启计算服务
# systemctl restart openstack-nova-compute
3、启动ovs代理服务并设置开机自动启动
# systemctl daemon-reload
# systemctl enable neutron-openvswitch-agent.service
# systemctl start neutron-openvswitch-agent.service
验证(在controller节点)
# source admin-openrc.sh
# neutron agent-list
创建第一个网络:
在controller节点:配置外部网络
创建一个外部网络
# source admin-openrc.sh
# neutron net-create ext-net --shared --router:external True --provider:physical_network external --provider:network_type flat
创建一个外部网络子网
# neutron subnet-create ext-net --name ext-subnet --allocation-pool start=100.100.100.100,end=100.100.100.240 --disable-dhcp --gateway 100.100.100.10 100.100.100.0/24
在controller节点:配置租户网络
创建一个租户网络
# source demo-openrc.sh
# neutron net-create demo-net
创建一个租户网络子网
# neutron subnet-create demo-net --name demo-subnet --gateway 192.168.80.1 192.168.80.0/24
在租户网络创建一个路由器,用来连接外部网络和租户网
1、创建路由器
# neutron router-create demo-router
2、附加路由器到demo租户的子网
# neutron router-interface-add demo-router demo-subnet
3、通过设置网关,使路由器附加到外部网络
# neutron router-gateway-set demo-router ext-net
确认连接
1、查看路由器获取到的IP
# neutron router-list
2、在任何一台外部主机上ping路由器获取到的外部地址
五、horizon(仪表盘组件):
安装仪表板组件
# yum install openstack-dashboard httpd mod_wsgi memcached python-memcached -y
配置仪表板
# vim /etc/openstack-dashboard/local_settings
1、配置dashboard使用controller节点上的openstack服务
OPENSTACK_HOST = "controller.nice.com"
2、设置允许来自所有网络的主机访问dashboard
ALLOWED_HOSTS = ['*']
3、配置memcached会话存储服务(将原有CACHES区域注释)
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCachea',
'LOCATION': '127.0.0.1:11211',
}
}
4、配置时区(可选)
TIME_ZONE = "Asia/Shanghai"
完成安装
1、在rhel或centos上,配置selinux去允许web服务器访问openstack服务(如果没关selinux)
# setsebool -P httpd_can_network_connect on
2、修改相关文件归属,使dashboard css可以被加载
# chown -R apache:apache /usr/share/openstack-dashboard/static
3、启动web和memcached,并设置开机自启动
# systemctl enable httpd memcached
# systemctl start httpd memcached
验证
1、访问dashboard,访问地址http://controller.nice.com/dashboard
2、使用admin或demo登录