Openstack(M版)部署

Openstack部署

官方文档：https://docs.openstack.org/mitaka/install-guide-rdo/

环境：
controller 172.25.24.1 控制节点
compute1 172.25.24.2 计算节点
关闭firewalld，selinux

控制节点配置网络

虚拟机添加双网卡
修改主及名并关闭NetworkManager

systemctl stop NetworkManager
systemctl disable NetworkManager
hostnamectl set-hostname controller

vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.25.24.1
PREFIX=24
GATEWAY=172.25.24.250
DNS1=114.114.114.114

vim /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none

配置本地域名解析

配置时间同步

配置yum源

vim /etc/yum.repos.d/yum.repo
[rhel7.3]
name=rhel7.3
baseurl=http://172.25.24.250/rhel7.3
gpgcheck=0

[openstack]
name=ocata
baseurl=ftp://172.25.24.250/pub/docs/openstack/mitaka
gpgcheck=0

yum upgrade -y                           #在主机上升级包
yum install -y python-openstackclient     #安装 OpenStack 客户端

安装数据库

yum install -y mariadb mariadb-server python2-PyMySQL #安装时会有依赖

rpm -ivh openssl-libs-1.0.2k-12.el7.x86_64.rpm --force #解决依赖

vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 172.25.24.1
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8

systemctl enable mariadb.service
systemctl start mariadb.service

执行 mysql_secure_installation 脚本来对数据库进行安全加固

安装消息队列服务

yum install -y rabbitmq-server
systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service
rabbitmqctl add_user openstack RABBIT_PASS      #添加 openstack 用户
rabbitmqctl set_permissions openstack ".*" ".*" ".*" #给``openstack``用户配置写和读权限
rabbitmq-plugins list
rabbitmq-plugins enable rabbitmq_management
netstat -antlp

物理机firefox访问172.25.24.1:15672
帐号：guest
密码：guest

Memcache

yum install -y memcached python-memcached
cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
#OPTIONS="-l 127.0.0.1,::1"         #注释此条参数

systemctl start memcached.service
systemctl enable memcached.service

创建一个数据库和管理员令牌

mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

openssl rand -hex 10    #生成一个随机值在初始的配置中作为管理员的令牌
b1a229ca636fa799fcf0

yum install openstack-keystone httpd mod_wsgi 

编辑文件 /etc/keystone/keystone.conf
vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = b1a229ca636fa799fcf0       #使用刚才生成的随机数

[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone  #KEYSTONE_DBPASS为数据库密码

[token]
provider = fernet

su -s /bin/sh -c "keystone-manage db_sync" keystone #初始化身份认证服务的数据库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone  #初始化Fernet keys

配置 Apache HTTP 服务器

vim /etc/httpd/conf/httpd.conf

vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357


    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    
        Require all granted
    



    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    
        Require all granted
    



systemctl start httpd.service
systemctl enable httpd.service

创建服务实体和API端点

配置认证令牌
export OS_TOKEN=b1a229ca636fa799fcf0
配置端点UR
export OS_URL=http://controller:35357/v3
配置认证 API 版本
export OS_IDENTITY_API_VERSION=3

openstack service create --name keystone --description "OpenStack Identity" identity           #为身份认证服务创建服务实体

创建认证服务的 API 端点

openstack endpoint create --region RegionOne \
  identity public http://controller:5000/v2.0   
openstack endpoint create --region RegionOne \
  identity internal http://controller:5000/v2.0
openstack endpoint create --region RegionOne \
  identity admin http://controller:35357/v2.0

创建项目、用户和角色

openstack domain create --description "Default Domain" default     #创建默认域
openstack project create --domain default \
  --description "Admin Project" admin            #创建 admin 项目

openstack user create --domain default \
  --password admin admin   #创建 admin 用户，使用此命令可以使用history查看密码用户密码
openstack role create admin        #创建 admin 角色
openstack role add --project admin --user admin admin  # 添加``admin`` 角色到 admin 项目和用户上

openstack project create --domain default \
  --description "Service Project" service    #创建``service``项目

 openstack project create --domain default \
  --description "Demo Project" demo     #创建``demo`` 项目,当为这个项目创建额外用户时，不要重复这一步。
 openstack user create --domain default \
  --password demo demo     #创建``demo`` 用户，使用此命令可以使用history查看密码用户密码

openstack role create user   # 创建 user 角色
openstack role add --project demo --user demo user     #添加 user``角色到 ``demo 项目和用户

验证操作

在控制节点上执行这些命令

unset OS_TOKEN OS_URL     #重置``OS_TOKEN``和``OS_URL`` 环境变量
openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name admin --os-username admin --os-auth-type password \
  token issue         # 使用 admin 用户，请求认证令牌，使用``admin``用户的密码。

openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name demo --os-username demo --os-auth-type password \
  token issue        #使用``demo`` 用户，请求认证令牌

创建 OpenStack 客户端环境脚本

cd    #进入用户主目录 
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

source admin-openrc  #使用脚本，demo用户权限不足

openstack token issue             #请求认证令牌

镜像服务

mysql -p
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \
  IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \
  IDENTIFIED BY 'glance';

openstack user create --domain default --password glance glance       #创建 glance 用户
openstack role add --project service --user glance admin         #添加 admin 角色到 glance 用户和 service 项目上

openstack service create --name glance \
  --description "OpenStack Image" image        #创建``glance``服务实体

创建镜像服务的 API 端点
openstack endpoint create --region RegionOne
image public http://controller:9292
openstack endpoint create --region RegionOne
image internal http://controller:9292
openstack endpoint create --region RegionOne
image admin http://controller:9292

yum install -y openstack-glance
vim /etc/glance/glance-api.conf
[database]
connection = mysql+pymysql://glance:glance@controller/glance

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance

[paste_deploy]
flavor = keystone

[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/

vim /etc/glance/glance-registry.conf
[database]
connection = mysql+pymysql://glance:glance@controller/glance

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance

[paste_deploy]
flavor = keystone

su -s /bin/sh -c "glance-manage db_sync" glance    #写入镜像服务数据库,忽略输出中任何不推荐使用的信息
systemctl start openstack-glance-api.service \
  openstack-glance-registry.service
systemctl enable openstack-glance-api.service \
  openstack-glance-registry.service

验证操作

下载源镜像

openstack image create "cirros" \
  --file cirros-0.3.5-x86_64-disk.img \
  --disk-format qcow2 --container-format bare \
  --public                       #上传镜像

openstack image list        #确认镜像的上传并验证属性

配置控制节点

mysql -p
CREATE DATABASE nova_api;
CREATE DATABASE nova;
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \
  IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \
  IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \
  IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \
  IDENTIFIED BY 'nova';

openstack user create --domain default
–password nova nova # 创建 nova 用户
openstack role add --project service --user nova admin #给 nova 用户添加 admin 角色

openstack service create --name nova \
  --description "OpenStack Compute" compute       # 创建 nova 服务实体

创建 Compute 服务 API 端点

openstack endpoint create --region RegionOne \
  compute public http://controller:8774/v2.1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
  compute internal http://controller:8774/v2.1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
  compute admin http://controller:8774/v2.1/%\(tenant_id\)s

yum install -y openstack-nova-api openstack-nova-conductor \
  openstack-nova-console openstack-nova-novncproxy \
  openstack-nova-scheduler

vim /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
rpc_backend = rabbit
auth_strategy = keystone
my_ip = 172.25.24.1
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver

[api_database]
connection = mysql+pymysql://nova:nova@controller/nova_api

[database]
connection = mysql+pymysql://nova:nova@controller/nova

[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = openstack

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = nova

[vnc]
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip

[glance]
api_servers = http://controller:9292

[oslo_concurrency]
lock_path = /var/lib/nova/tmp

su -s /bin/sh -c "nova-manage api_db sync" nova      #同步Compute 数据库
su -s /bin/sh -c "nova-manage db sync" nova           #忽略此命令输出中任何不推荐使用的信息
systemctl enable openstack-nova-api.service \
  openstack-nova-consoleauth.service openstack-nova-scheduler.service \
  openstack-nova-conductor.service openstack-nova-novncproxy.service
systemctl start openstack-nova-api.service \
  openstack-nova-consoleauth.service openstack-nova-scheduler.service \
  openstack-nova-conductor.service openstack-nova-novncproxy.service      #启动服务

配置计算节点

配置网络
虚拟机添加双网卡
修改主及名并关闭NetworkManager

systemctl stop NetworkManager
systemctl disable NetworkManager
hostnamectl set-hostname compute1

vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.25.24.2
PREFIX=24
GATEWAY=172.25.24.250
DNS1=114.114.114.114

vim /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none

配置本地域名解析

配置时间同步

配置yum源

yum -y upgrade 
yum install -y openstack-nova-compute

vim /etc/nova/nova.conf
[DEFAULT]
rpc_backend = rabbit
auth_strategy = keystone
my_ip = 172.25.24.2
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver

[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = openstack

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = nova

[vnc]
enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = $my_ip
novncproxy_base_url = http://controller:6080/vnc_auto.html

[glance]
api_servers = http://controller:9292

[oslo_concurrency]
lock_path = /var/lib/nova/tmp

egrep -c '(vmx|svm)' /proc/cpuinfo   #确定计算节点是否支持虚拟机的硬件加速
vim /etc/nova/nova.conf      #若是输出为0则需修改配置文件

systemctl enable libvirtd.service openstack-nova-compute.service
systemctl start libvirtd.service openstack-nova-compute.service

在控制节点验证操作

openstack compute service list

网络服务

安装并配置控制节点

mysql -p
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
  IDENTIFIED BY 'neutron';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
  IDENTIFIED BY 'neutron';

openstack user create --domain default --password neutron neutron
openstack role add --project service --user neutron admin

openstack service create --name neutron \
  --description "OpenStack Networking" network

openstack endpoint create --region RegionOne \
  network public http://controller:9696
openstack endpoint create --region RegionOne \
  network internal http://controller:9696
openstack endpoint create --region RegionOne \
  network admin http://controller:9696

###### 网络选项1：公共网络
yum install -y openstack-neutron openstack-neutron-ml2 \
  openstack-neutron-linuxbridge ebtables
vim /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins =
rpc_backend = rabbit
auth_strategy = keystone
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True

[database]
connection = mysql+pymysql://neutron:neutron@controller/neutron

[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = openstack

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron

[nova]
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = nova

[oslo_concurrency]
lock_path = /var/lib/neutron/tmp

vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security

[ml2_type_flat]
flat_networks = provider

[securitygroup]
enable_ipset = True

vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini 
[linux_bridge]
physical_interface_mappings = provider:eth1

[vxlan]
enable_vxlan = False

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

vim /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True

vim /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_ip = controller
metadata_proxy_shared_secret = westos

vim /etc/nova/nova.conf
[neutron]
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service 
username = neutron
password = neutron

service_metadata_proxy = True
metadata_proxy_shared_secret = westos          #此密钥随意设置

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron

systemctl restart openstack-nova-api.service
systemctl enable neutron-server.service \
  neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
  neutron-metadata-agent.service
systemctl start neutron-server.service \
  neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
  neutron-metadata-agent.service

安装和配置计算节点

yum install -y openstack-neutron-linuxbridge ebtables ipset
vim /etc/neutron/neutron.conf 
[DEFAULT]
rpc_backend = rabbit
auth_strategy = keystone

[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = openstack

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron

[oslo_concurrency]
lock_path = /var/lib/neutron/tmp

网络选项1：公共网络

vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini 
[linux_bridge]
physical_interface_mappings = provider:eth1

[vxlan]
enable_vxlan = False

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

vim /etc/nova/nova.conf
[neutron]
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron

systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service

验证操作

 neutron ext-list      #列出加载的扩展来验证``neutron-server``进程是否正常启动

neutron agent-list     #列出代理以验证启动 neutron 代理是否成功

openstack compute service list

启动一个实例

提供者网络

neutron net-create --shared --provider:physical_network provider \
  --provider:network_type flat provider

neutron subnet-create --name provider --allocation-pool start=172.25.24.100,end=172.25.24.200 --dns-nameserver 114.114.114.114 --gateway 172.25.24.250 provider 172.25.24.0/24

创建m1.nano规格的主机

openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano

生成一个键值对¶

ssh-keygen -q -N ""        #回车
openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
openstack keypair list

增加安全组规则¶

openstack security group rule create --proto icmp default
openstack security group rule create --proto tcp --dst-port 22 default

在公有网络上创建实例

openstack flavor list
openstack image list
openstack network list
openstack security group list

openstack server create --flavor m1.nano --image cirros --nic net-id=a127cfdf-69ab-4956-a880-47d37d9d8df1  --security-group default --key-name mykey om1       #注意net-id的修改 ，om1为云主机名称 随意
openstack server list
openstack console url show provider-instance

报错

openstack server stop om1

在计算节点更新

vim /etc/nova/nova.conf

控制节点

openstack server start om1
openstack console url show om1

浏览器访问

ssh [email protected]      #不要密码连接