OpenStack云计算平台(一)
OpenStack
- 1.opnestack简要介绍
- 2.openstack核心项目
- 3.环境
-
- 3.1安全
- 3.2主机网络
-
- 3.2.1配置网络接口
- 3.2.2 配置域名解析
- 3.3 网络时间协议(NTP)
- 3.4 OpenStack包
- 3.5 SQL数据库
- 3.6 消息队列
- 3.7 Memcached
- 4. 认证服务
-
- 4.1 先决条件
- 4.2 安全并配置组件
- 4.3 配置 Apache HTTP 服务器
- 4.4 创建服务实体和API端点
- 4.5 创建域、项目、用户和角色
- 4.6 验证操作
- 5. 创建 OpenStack 客户端环境脚本
-
- 5.1 创建脚本
- 5.2 使用脚本
- 6. 镜像服务
-
- 6.1 先决条件
- 6.2 安全并配置组件
- 6.3 验证操作
- 7. 计算服务
-
- 7.1 安装并配置控制节点
- 7.2 创建服务证书
- 7.3 创建 Compute 服务 API 端点
- 7.4 安全并配置组件
- 7.5 在启动一台作为计算节点
- 7.6 host-passthrough的问题(嵌套)
1.opnestack简要介绍
- OpenStack是一个开源的云计算管理平台项目,是一系列软件开源项目的组合。由NASA(美国国家航空航天局)和Rackspace合作研发并发起,以Apache许可证(Apache软件基金会发布的一个自由软件许可证)授权的开源代码项目。
- OpenStack为私有云和公有云提供可扩展的弹性的云计算服务。项目目标是提供实施简单、可大规模扩展、丰富、标准统一的云计算管理平台。
- Openstack是一个云平台管理的项目,它不是一个软件。这个项目由几个主要的组件组合起来完成一些具体的工作。Openstack是一个旨在为公共及私有云的建设与管理提供软件的开源项目。它的社区拥有超过130家企业及1350位开发者,这些机构与个人将
Openstack作为基础设施即服务资源的通用前端。Openstack项目的首要任务是简化云的部署过程并为其带来良好的可扩展性。
2.openstack核心项目
- OpenStack覆盖了网络、虚拟化、操作系统、服务器等各个方面。它是一个正在开发中的云计算平台项目,根据成熟及重要程度的不同,被分解成核心项目、孵化项目,以及支持项目和相关项目。每个项目都有自己的委员会和项目技术主管,而且每个项目都不是一成不变的,孵化项目可以根据发展的成熟度和重要性,转变为核心项目。截止到Icehouse版本,下面列出了10个核心项目(即OpenStack服务)。
- 计算(Compute):Nova。一套控制器,用于为单个用户或使用群组管理虚拟机实例的整个生命周期,根据用户需求来提供虚拟服务。负责虚拟机创建、开机、关机、挂起、暂停、调整、迁移、重启、销毁等操作,配置CPU、内存等信息规格。自Austin版本集成到项目中。
- 对象存储(ObjectStorage):Swift。一套用于在大规模可扩展系统中通过内置冗余及高容错机制实现对象存储的系统,允许进行存储或者检索文件。可为Glance提供镜像存储,为Cinder提供卷备份服务。自Austin版本集成到项目中。
- 镜像服务(ImageService):Glance。一套虚拟机镜像查找及检索系统,支持多种虚拟机镜像格式(AKI、AMI、ARI、ISO、QCOW2、Raw、VDI、VHD、VMDK),有创建上传镜像、删除镜像、编辑镜像基本信息的功能。自Bexar版本集成到项目中。
- 身份服务(IdentityService):Keystone。为OpenStack其他服务提供身份验证、服务规则和服务令牌的功能,管理Domains、Projects、Users、Groups、Roles。自Essex版本集成到项目中。
- 网络&地址管理(Network):Neutron。提供云计算的网络虚拟化技术,为OpenStack其他服务提供网络连接服务。为用户提供接口,可以定义Network、Subnet、Router,配置DHCP、DNS、负载均衡、L3服务,网络支持GRE、VLAN。插件架构支持许多主流的网络厂家和技术,如OpenvSwitch。自Folsom版本集成到项目中。
- 块存储 (BlockStorage):Cinder。为运行实例提供稳定的数据块存储服务,它的插件驱动架构有利于块设备的创建和管理,如创建卷、删除卷,在实例上挂载和卸载卷。自Folsom版本集成到项目中。
- UI 界面 (Dashboard):Horizon。OpenStack中各种服务的Web管理门户,用于简化用户对服务的操作,例如:启动实例、分配IP地址、配置访问控制等。自Essex版本集成到项目中。
- 测量 (Metering):Ceilometer。像一个漏斗一样,能把OpenStack内部发生的几乎所有的事件都收集起来,然后为计费和监控以及其它服务提供数据支撑。自Havana版本集成到项目中。
- 部署编排 (Orchestration):Heat。提供了一种通过模板定义的协同部署方式,实现云基础设施软件运行环境(计算、存储和网络资源)的自动化部署。自Havana版本集成到项目中。
- 数据库服务(DatabaseService):Trove。为用户在OpenStack的环境提供可扩展和可靠的关系和非关系数据库引擎服务。自Icehouse版本集成到项目中。
openstack官网
3.环境
3.1安全
3.2主机网络
3.2.1配置网络接口
[root@westos Desktop]# cd /boot/
[root@westos boot]# ls
config-4.18.0-193.el8.x86_64
efi
extlinux
grub2
initramfs-0-rescue-fdab85af04c04962873b8d34852a2152.img
initramfs-4.18.0-193.el8.x86_64.img
initramfs-4.18.0-193.el8.x86_64kdump.img
loader
System.map-4.18.0-193.el8.x86_64
vmlinuz-0-rescue-fdab85af04c04962873b8d34852a2152
vmlinuz-4.18.0-193.el8.x86_64
[root@westos boot]# cd grub2/
[root@westos grub2]# vim grubenv
#nouveau.modeset=0 net.ifnames=0 ##如果主机名不一致可以修改一下。比如网卡是eth0,另一个是eth1就是正确的,是ens这种别的就需要添加下面的参数。
[root@westos grub2]# cat grubenv
# GRUB Environment Block
saved_entry=fdab85af04c04962873b8d34852a2152-4.18.0-193.el8.x86_64
kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet
boot_success=0
boot_indeterminate=0
#nouveau.modeset=0 net.ifnames=0 ##需要加到kernelopts这一行
[root@server1 ~]# cd /etc/sysconfig/network-scripts/
[root@server1 network-scripts]# cp ifcfg-eth0 ifcfg-eth1
[root@server1 network-scripts]# vim ifcfg-eth1
[root@server1 network-scripts]# cat ifcfg-eth1
BOOTPROTO=none
DEVICE=eth1
ONBOOT=yes
[root@server1 network-scripts]# ifup eth1
[root@server1 network-scripts]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:a3:b3:d3 brd ff:ff:ff:ff:ff:ff
inet 172.25.13.1/24 brd 172.25.13.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fea3:b3d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:43:33:f3 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5054:ff:fe43:33f3/64 scope link
valid_lft forever preferred_lft forever
3.2.2 配置域名解析
[root@server1 network-scripts]# hostnamectl set-hostname controller
[root@server1 network-scripts]# vim /etc/hosts
[root@server1 network-scripts]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.13.1 controller
172.25.13.2 compute1
172.25.13.3 block1
172.25.13.4 server4
172.25.13.5 server5
172.25.13.6 server6
172.25.13.7 server7
172.25.13.250 westos.westos.org
3.3 网络时间协议(NTP)
##真机配置chronyd(真机开了防火墙一定要添加ntp服务)
[root@westos ~]# vim /etc/chrony.conf ##真机
pool ntp1.aliyun.com iburst
# Allow NTP client access from local network.
allow 172.25/24
[root@westos ~]# systemctl restart chronyd.service
##虚拟机必须同步时间,不然会出错
[root@controller ~]# yum install chrony
[root@controller ~]# vim /etc/chrony.conf
server 172.25.13.250 iburst
[root@controller ~]# timedatectl set-timezone Asia/Shanghai
[root@controller ~]# systemctl restart chronyd.service ##重启服务
[root@controller ~]# chronyc sources -v ##查看是否连接成功
3.4 OpenStack包
##1. 配置真机文件
[root@westos ~]# cd /var/www/html/
[root@westos html]# lftp 172.25.254.250
lftp 172.25.254.250:~> cd pub/openstack/
lftp 172.25.254.250:/pub/openstack> mirror mitaka/
Total: 1 directory, 286 files, 0 symlinks
New: 286 files, 0 symlinks
144203995 bytes transferred in 2 seconds (55.85 MiB/s)
lftp 172.25.254.250:/pub/openstack>
lftp 172.25.254.250:/pub/openstack> exit
[root@westos html]# ls
ansible docker-ce index.html mitaka rhel7.6 rhel8.2 software
##2. controller主机仓库
[root@controller ~]# cd /etc/yum.repos.d/
[root@controller yum.repos.d]# vim openstack.repo
[root@controller yum.repos.d]# cat openstack.repo
[openstack]
name=openstack
baseurl=http://172.25.13.250/mitaka
gpgcheck=0
[root@controller yum.repos.d]# yum repolist list
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
openstack | 2.9 kB 00:00
openstack/primary_db | 141 kB 00:00
repolist: 0
[root@controller yum.repos.d]# yum repolist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
repo id repo name status
openstack openstack 279
rhel7.6 rhel7.6 5,152
repolist: 5,431
[root@controller ~]# yum upgrade ##在主机上升级包
[root@controller ~]# yum install python-openstackclient -y ##安装 OpenStack 客户端
3.5 SQL数据库
[root@controller ~]# yum install mariadb mariadb-server python2-PyMySQL ##安装软件包
[root@controller ~]# vim /etc/my.cnf.d/openstack.cnf
[root@controller ~]# cat /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 172.25.13.1
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
[root@controller ~]# systemctl enable --now mariadb.service
[root@controller ~]# mysql_secure_installation ##安全初始化,设个root密码,其他全是Y
3.6 消息队列
[root@controller ~]# yum install rabbitmq-server -y ##
[root@controller ~]# systemctl enable --now rabbitmq-server.service
[root@controller ~]# rabbitmqctl add_user openstack openstack ##添加 openstack 用户
[root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" ##给``openstack``用户配置写和读权限
[root@controller ~]# rabbitmq-plugins list
[root@controller ~]# rabbitmq-plugins enable rabbitmq_management ##启动
3.7 Memcached
[root@controller ~]# yum install memcached python-memcached -y #安装软件包
[root@controller ~]# systemctl enable --now memcached.service ##启动
[root@controller ~]# netstat -antlp | grep :11211
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 16081/memcached
tcp6 0 0 ::1:11211 :::* LISTEN 16081/memcached
[root@controller ~]# vim /etc/sysconfig/memcached
[root@controller ~]# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
#OPTIONS="-l 127.0.0.1,::1" ##注释之后默认访问所有网段
[root@controller ~]# systemctl restart memcached.service
4. 认证服务
4.1 先决条件
#完成下面的步骤以创建数据库
[root@controller ~]# mysql -p #用数据库连接客户端以 root 用户连接到数据库服务器
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 12
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone; #创建 keystone 数据库
Query OK, 1 row affected (0.00 sec)
##对``keystone``数据库授予恰当的权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ -> IDENTIFIED BY 'keystone';
[root@controller ~]# mysql -u keystone -p ##登陆测试
MariaDB [(none)]>
4.2 安全并配置组件
[root@controller ~]# openssl rand -hex 10 #生成一个随机值在初始的配置中作为管理员的令牌。
2c824d60aa530b959bdc
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
[root@controller ~]# vim /etc/keystone/keystone.conf ##
[DEFAULT] ##在``[DEFAULT]``部分,定义初始管理令牌的值
admin_token =2c824d60aa530b959bdc
[database] ##在 [database] 部分,配置数据库访问
connection = mysql+pymysql://keystone:keystone@controller/keystone
[token] ###在``[token]``部分,配置Fernet UUID令牌的提供者。
provider = fernet
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone ##初始化身份认证服务的数据库
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone ##初始化Fernet keys
[root@controller ~]# cd /etc/keystone/
[root@controller keystone]# ls
default_catalog.templates keystone-paste.ini sso_callback_template.html
fernet-keys logging.conf
keystone.conf policy.json
4.3 配置 Apache HTTP 服务器
[root@controller ~]# vim /etc/httpd/conf/httpd.conf ##编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点
ServerName controller
[root@controller conf.d]# vim /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller conf.d]# cat /etc/httpd/conf.d/wsgi-keystone.conf ##用下面的内容创建文件 /etc/httpd/conf.d/wsgi-keystone.conf。
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
[root@controller conf.d]# systemctl enable --now httpd.service ##一定要自启动,不然整个服务是起不来的
4.4 创建服务实体和API端点
[root@controller ~]# export OS_TOKEN=2c824d60aa530b959bdc ##配置认证令牌
[root@controller ~]# export OS_URL=http://controller:35357/v3 ##配置端点URL
[root@controller ~]# export OS_IDENTITY_API_VERSION=3 ##配置认证 API 版本
##1. 在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。
[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity ##创建服务实体和身份认证服务
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 8fca5715645f43b5bd5d84d1a1eb4ec5 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
##2.身份认证服务管理了一个与您环境相关的 API 端点的目录。服务使用这个目录来决定如何与您环境中的其他服务进行通信
##创建认证服务的 API 端点
[root@controller ~]# openstack endpoint create --region RegionOne \
> identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1f6d00909eef4078a8fa5691c185a896 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8fca5715645f43b5bd5d84d1a1eb4ec5 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | d5702854772b4774a37c0bf839187eb0 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8fca5715645f43b5bd5d84d1a1eb4ec5 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b960b6acb0f34a55a85fcd251b5201c7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8fca5715645f43b5bd5d84d1a1eb4ec5 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
4.5 创建域、项目、用户和角色
##1.身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 T domains, projects (tenants), :term:`users`和 :term:`roles`的组合。
##1.创建域``default``:
[root@controller ~]# openstack domain create --description "Default Domain" default
##2.在你的环境中,为进行管理操作,创建管理的项目、用户和角色:
##2.1创建 admin 项目:
[root@controller ~]# openstack project create --domain default \
> --description "Admin Project" admin
##2.2 创建 admin 用户
[root@controller ~]# openstack user create --domain default --password admin admin
##2.2创建 admin 角色
[root@controller ~]# openstack role create admin
##2.3 添加``admin`` 角色到 admin 项目和用户上
[root@controller ~]# openstack role add --project admin --user admin admin
##3. 本指南使用一个你添加到你的环境中每个服务包含独有用户的service 项目。创建``service``项目
[root@controller ~]# openstack project create --domain default --description "Service Project" service
##4.常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户
##4.1创建``demo`` 项目
[root@controller ~]# openstack project create --domain default --description "Demo Project" demo
##4.2 创建demo用户
[root@controller ~]# openstack user create --domain default --password demo demo
##4.3 创建 user 角色
[root@controller ~]# openstack role create user
## 4.4 添加 user``角色到 ``demo 项目和用户
[root@controller ~]# openstack role add --project demo --user demo user
4.6 验证操作
##1。重置``OS_TOKEN``和``OS_URL`` 环境变量
[root@controller ~]# unset OS_TOKEN OS_URL
##2。作为 admin 用户,请求认证令牌
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue ##密码是admin
##3. 作为``demo`` 用户,请求认证令牌
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:
5. 创建 OpenStack 客户端环境脚本
5.1 创建脚本
#1.创建脚本,创建 admin 和 ``demo``项目和用户创建客户端环境变量脚本。本指南的接下来的部分会引用这些脚本,为客户端操作加载合适的的凭证。
##1.1 编辑文件 admin-openrc 并添加如下内容:
[root@controller ~]# vim admin-openrc
[root@controller ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
##1.2 编辑文件 demo -openrc 并添加如下内容:
[root@controller ~]# vim demo-openrc
[root@controller ~]# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
5.2 使用脚本
[root@controller ~]# source admin-openrc ##每次使用都需要source,后面的文件会指定用户。admin是系统用户,其他用户权限不够
[root@controller ~]# openstack token issue ##请求认证令牌
[root@controller ~]# openstack user list ##查看用户信息
[root@controller ~]# openstack project list ##查看项目信息
[root@controller ~]# openstack endpoint list ##查看api接口
6. 镜像服务
6.1 先决条件
#1.
##1.1用数据库连接客户端以 root 用户连接到数据库服务器:
[root@controller ~]# mysql -p
Enter password: ##westos密码
Query OK, 0 rows affected (0.00 sec)
##1.2.创建 glance 数据库:
MariaDB [(none)]> CREATE DATABASE glance;
##1.3.对``glance``数据库授予恰当的权限:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
##1.4.退出数据库客户端。
#2.获得 admin 凭证来获取只有管理员能执行的命令的访问权限:
[root@controller ~]# source admin-openrc
#3. 创建服务证书
##3.1 创建 glance 用户:
[root@controller ~]# openstack user create --domain default --password glance glance
## 3.2 添加 admin 角色到 glance 用户和 service 项目上。
[root@controller ~]# openstack role add --project service --user glance admin
## 3.3 创建``glance``服务实体:
[root@controller ~]# openstack service create --name glance --description "OpenStack Image" image
#4. 创建镜像服务的 API 端点
[root@controller ~]# openstack endpoint create --region RegionOne \
> image public http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne \
> image internal http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne \
> image admin http://controller:9292
6.2 安全并配置组件
##1. 安装软件包
[root@controller ~]# yum install openstack-glance
##2. 编辑文件 /etc/glance/glance-api.conf 并完成如下动作
[database]
connection = mysql+pymysql://glance:glance@controller/glance
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance
[paste_deploy]
flavor = keystone
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
[root@controller ~]# vim /etc/glance/glance-api.conf
##3.编辑文件 ``/etc/glance/glance-registry.conf``并完成如下动作
[root@controller ~]# vim /etc/glance/glance-registry.conf
[database]
connection = mysql+pymysql://glance:glance@controller/glance
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance
[paste_deploy]
flavor = keystone
## 4.写入镜像服务数据库
[root@controller ~]# su -s /bin/sh -c "glance-manage db_sync" glance
##忽略输出中任何不推荐使用的信息。
## 5. 完成并启动
[root@controller ~]# systemctl enable --now openstack-glance-api.service openstack-glance-registry.service
[root@controller ~]# netstat -antlp | grep :9292
tcp 0 0 0.0.0.0:9292 0.0.0.0:* LISTEN 18223/python2
## 6。查看日志部分
[root@controller ~]# cd /var/log/
[root@controller log]# ls
anaconda btmp dmesg.old lastlog qemu-ga tuned
audit chrony glance maillog rabbitmq wtmp
boot.log cron httpd mariadb rhsm yum.log
boot.log-20210324 dmesg keystone messages secure
[root@controller log]# cd glance/
[root@controller glance]# ls
api.log registry.log
6.3 验证操作
#2. 下载镜像源
#wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img 测试镜像
[root@controller ~]# ls
admin-openrc cirros-0.4.0-x86_64-disk.img demo-openrc
#3。使用 QCOW2 磁盘格式, bare 容器格式上传镜像到镜像服务并设置公共可见,这样所有的项目都可以访问它
[root@controller ~]# openstack image create "cirros" --file cirros-0.4.0-x86_64-disk.img --disk-format qcow2 --container-format bare --public
#4。确认镜像的上传并验证属性
[root@controller ~]# openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 2785a258-64e0-442a-b691-e7a54823d9d8 | cirros | active |
+--------------------------------------+--------+--------+
[root@controller ~]# ll /var/lib/glance/images/
total 12420
-rw-r----- 1 glance glance 12716032 Mar 24 14:40 2785a258-64e0-442a-b691-e7a54823d9d8
[root@controller images]# du -h 2785a258-64e0-442a-b691-e7a54823d9d8
13M 2785a258-64e0-442a-b691-e7a54823d9d8
7. 计算服务
7.1 安装并配置控制节点
#创建数据库
[root@controller ~]# mysql -p
MariaDB [(none)]> CREATE DATABASE nova_api;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> CREATE DATABASE nova;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
7.2 创建服务证书
##1.创建 nova 用户
[root@controller ~]# openstack user create --domain default \
> --password nova nova
#2.给 nova 用户添加 admin 角色:
[root@controller ~]# openstack role add --project service --user nova admin
## 3. 创建 nova 服务实体
[root@controller ~]# openstack service create --name nova \
> --description "OpenStack Compute" compute
7.3 创建 Compute 服务 API 端点
[root@controller ~]# openstack endpoint create --region RegionOne \
> compute public http://controller:8774/v2.1/%\(tenant_id\)s
[root@controller ~]# openstack endpoint create --region RegionOne \
> compute internal http://controller:8774/v2.1/%\(tenant_id\)s
[root@controller ~]# openstack endpoint create --region RegionOne \
> compute admin http://controller:8774/v2.1/%\(tenant_id\)s
7.4 安全并配置组件
[root@controller ~]# yum install openstack-nova-api openstack-nova-conductor \
> openstack-nova-console openstack-nova-novncproxy \
> openstack-nova-scheduler
##2.配置
参考https://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/nova-controller-install.html
##3.同步Compute 数据库
[root@controller ~]# su -s /bin/sh -c "nova-manage api_db sync" nova
[root@controller ~]# su -s /bin/sh -c "nova-manage db sync" nova
/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `block_device_mapping_instance_uuid_virtual_name_device_name_idx`. This is deprecated and will be disallowed in a future release.')
result = self._query(query)
/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `uniq_instances0uuid`. This is deprecated and will be disallowed in a future release.')
result = self._query(query)
##启动compute
[root@controller ~]# systemctl enable --now openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service
[root@controller ~]# netstat -antlp | grep :8774
tcp 0 0 0.0.0.0:8774 0.0.0.0:* LISTEN 19227/python2
[root@controller ~]# openstack compute service list
+----+-------------+------------+----------+---------+-------+--------------+
| Id | Binary | Host | Zone | Status | State | Updated At |
+----+-------------+------------+----------+---------+-------+--------------+
| 1 | nova- | controller | internal | enabled | up | 2021-03-24T0 |
| | scheduler | | | | | 7:30:38.0000 |
| | | | | | | 00 |
| 2 | nova- | controller | internal | enabled | up | 2021-03-24T0 |
| | conductor | | | | | 7:30:38.0000 |
| | | | | | | 00 |
| 3 | nova- | controller | internal | enabled | up | 2021-03-24T0 |
| | consoleauth | | | | | 7:30:38.0000 |
| | | | | | | 00 |
+----+-------------+------------+----------+---------+-------+--------------+
7.5 在启动一台作为计算节点
[root@compute1 ~]# hostname
compute1
[root@compute1 network-scripts]# cat ifcfg-eth1
BOOTPROTO=none
DEVICE=eth1
ONBOOT=yes
[root@compute1 ~]# vim /etc/hosts ##解析
[root@compute1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.13.1 controller
172.25.13.2 compute1
172.25.13.3 block1
[root@compute1 ~]# yum install chrony -y
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package chrony-3.2-2.el7.x86_64 already installed and latest version
Nothing to do
[root@compute1 ~]# vim /etc/chrony.conf
[root@compute1 ~]# systemctl start chronyd
[root@compute1 ~]# systemctl enable --now chronyd
[root@compute1 ~]#
##1。安装软件
[root@compute1 ~]# ll /etc/yum.repos.d/openstack.repo
-rw-r--r-- 1 root root 74 Mar 24 03:42 /etc/yum.repos.d/openstack.repo
[root@compute1 ~]# yum install openstack-nova-compute
##2。 配置文件/etc/nova/nova.conf。参考https://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/nova-compute-install.html
##3。完成安装
[root@compute1 ~]# egrep -c '(vmx|svm)' /proc/cpuinfo
2
[root@compute1 ~]# systemctl enable --now libvirtd.service openstack-nova-compute.service
7.6 host-passthrough的问题(嵌套)
[root@westos Desktop]# cd /sys/module/
[root@westos module]# cd kvm_amd/
[root@westos kvm_amd]# ls
coresize initsize notes refcnt sections taint
holders initstate parameters rhelversion srcversion uevent
[root@westos kvm_amd]# cd parameters/
[root@westos parameters]# cat nested
0
[root@westos parameters]# cd /etc/modprobe.d/
[root@westos modprobe.d]# vim kvm.conf
[root@westos modprobe.d]# pwd
/etc/modprobe.d