实验环境
俩台CENTOS6.5 最小化安装,1核1Gb内存,iptables 关闭,selinux 关闭
Controller ip 192.168.11.182
Compute1 ip 192.168.11.183
1 安装时间同步,俩台机子上都要安装
yum install ntp
service ntpd start
chkconfig ntpd on
2 配置网络资源
yum install yum-plugin-priorities �Cy
yum install �Cy http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-3.noarch.rpm
yum install �Cy http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install �Cy openstack-utils openstack-selinux
yum upgrade
reboot
2 配置网络
2.1 controller node
1 配置管理接口
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.11.182
NETMASK=255.255.255.0
GATEWAY=192.168.11.2
DNS1=192.168.11.2
2 配置hosts记录
192.168.11.182 controlle
192.168.11.183 compute1
2.2 compute1 node
1 配置管理接口
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.11.183
NETMASK=255.255.255.0
GATEWAY=192.168.11.2
DNS1=192.168.11.2
2 配置外部接口
DEVICE=eth1
TYPE=Ethernet
ONBOOT="yes"
BOOTPROTO="none"
3 配置hosts记录
192.168.11.182 controlle
192.168.11.183 compute1
重启网卡
service network restart
测试
ping -c 4 www.openstack.org
ping -c 4 controlle
ping -c 4 compute1
3 controlle node
1 mysql 安装
yum install mysql mysql-server MySQL-python -y
1.1 mysql配置
Vi /etc/my.cnf
[mysqld]
...
bind-address = 192.168.11.182
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
1.2启动mysql
service mysqld start
chkconfig mysqld on
1.3 设置mysql的root密码
mysql_install_db
mysql_secure_installation
2消息中间件Qpid服务安装与配置
yum install qpid-cpp-server
2.1 关闭身份认证
vi /etc/qpidd.conf
auth=no
2.2重启qpidd服务
service qpidd start
chkconfig qpidd on
3.认证服务Keystone安装与配置
3.1安装
yum install openstack-keystonepython-keystoneclient -y
3.2 配置数据库
openstack-config --set/etc/keystone/keystone.conf \
database connection mysql://keystone:keystone@controller/keystone
3.3 创建数据库并授权
mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'keystone';
mysql> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'keystone';
mysql> exit
3.4 导入数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
3.5生成字符串秘钥并添加到配置文件
ADMIN_TOKEN=$(openssl rand -hex 10)
# echo $ADMIN_TOKEN
# openstack-config --set /etc/keystone/keystone.confDEFAULT \
admin_token $ADMIN_TOKEN
3.6默认keystone使用PKI令牌,创建签名秘钥和证书
keystone-manage pki_setup --keystone-userkeystone --keystone-group keystone
chown -R keystone:keystone/etc/keystone/ssl
chmod -R o-rwx /etc/keystone/ssl
3.7 启动服务
service openstack-keystone start
chkconfig openstack-keystone on
3.8定期清理过期的令牌,提高性能
(crontab -l -u keystone 2>&1 | grep-q token_flush) || \
echo '@hourly /usr/bin/keystone-managetoken_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >>/var/spool/cron/keystone
3.9设置令牌及服务位置环境变量
exportOS_SERVICE_TOKEN=ADMIN_TOKEN(这里官网有点问题应该是)
export OS_SERVICE_TOKEN=$ADMIN_TOKEN
exportOS_SERVICE_ENDPOINT=http://controller:35357/v2.0
3.10创建admin用户、角色和租户
keystone user-create --name=admin --pass= ADMIN_PASS(更改成admin的密码,自己设定,这里我设置的是admin)--email=ADMIN_EMAIL(自己设定邮箱)创建管理员用户
keystone role-create --name=admin 创建管理员角色
#为管理员创建租户
keystone tenant-create --name=admin--description="AdminTenant"
#将角色添加到用户
keystone user-role-add --user=admin--tenant=admin --role=admin
keystone user-role-add --user=admin--role=_member_ --tenant=admin
3.11创建service租户
keystone tenant-create --name=service--description="ServiceTenant"
3.12创建keystone标识服务
keystone service-create --name=keystone --type=identity \
--description="OpenStackIdentity"
3.13创建服务端点,指定API的URL
keystone endpoint-create \
--service-id=$(keystone service-list | awk'/ identity / {print$2}') \
--publicurl=http://controller:5000/v2.0 \
--internalurl=http://controller:5000/v2.0\
--adminurl=http://controller:35357/v2.0
3.14取消变量
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
3.15测试身份认证
keystone --os-username=admin--os-password=admin \
--os-auth-url=http://controller:35357/v2.0token-get
keystone --os-username=admin --os-password=admin \
--os-tenant-name=admin--os-auth-url=http://controller:35357/v2.0 token-get
3.16设置环境变量,也可以写在.bash_profile
vi /root/admin-openrc.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=admin
exportOS_AUTH_URL=http://controller:35357/v2.0
source admin-openrc.sh
3.17验证是否授权成功
keystone token-get
keystone user-list
keystone user-role-list --user admin--tenant admin
keystone --os-password admin service-list
3.18安装client通过http访问各组件客户端
yum install -y python-keystoneclient python-glanceclient python-novaclient python-swiftclientpython-neutronclient python-cinderclient python-troveclient python-heatclient python-ceilometerclient
4.镜像服务Glance安装与配置
4.1安装
yum install -y openstack-glance python-glanceclient
现在启动glance-api,要不然会可能后面启动不起来。
service openstack-glance-api start
4.2配置数据库
openstack-config --set/etc/glance/glance-api.conf database \
connection mysql://glance:glance@controller/glance
openstack-config --set /etc/glance/glance-registry.conf database \
connection mysql://glance:glance@controller/glance
openstack-config --set /etc/glance/glance-api.confDEFAULT rpc_backend qpid
openstack-config --set /etc/glance/glance-api.confDEFAULT qpid_hostname controller
4.3 创建数据库
mysql -u root -p
mysql> CREATE DATABASE glance;
mysql> GRANT ALL PRIVILEGES ON glance.*TO 'glance'@'localhost' \
IDENTIFIED BY 'glance';
mysql> GRANT ALL PRIVILEGES ON glance.*TO 'glance'@'%' \
IDENTIFIED BY 'glance';
4.4 导入数据库
su -s /bin/sh -c "glance-managedb_sync" glance
报错提示(不知道什么意思)
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57:PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attackvulnerability.
_warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attackvulnerability.", PowmInsecureWarning)
Google搜到的 地址
https://ask.openstack.org/en/question/28335/you-should-rebuild-using-libgmp-5-to-avoid-timing-attack-vulnerability-_warnnot-using-mpz_powm_sec-you-should-rebuild-using-libgmp-5-to-avoid-timing/
Currently rhel has GMP version 4.something
PyCrypto needs GMP >= 5
Because rhel is slightly behind we have to re-make The GNU Multiple PrecisionArithmetic Library stuff.
For this we have to download the sources from https://gmplib.org/#DOWNLOAD
According to the instructions from the package:
tar -xvjpf gmp-6.0.0a.tar.bz2
./configure
make
make check <= VERY IMPORTANT!!
make install
With the right libraries we rebuild PyCrypto
pip install --ignore-installed PyCrypto
As a side note, whenever building and re-building do a
yum -y groupinstall "Development tools"
yum -y install gcc libgcc glibc libffi-devel libxml2-devel libxslt-developenssl-devel zlib-devel bzip2-devel ncurses-devel
It will take care of many problems you might encounter due to missing compilersand header files.
4.5创建glance用户并加入角色admin
keystone user-create [email protected]
keystone user-role-add --user=glance--tenant=service --role=admin
4.6配置认证信息
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_urihttp://controller:5000
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_hostcontroller
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_port35357
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_protocol http
openstack-config --set /etc/glance/glance-api.conf keystone_authtokenadmin_tenant_name service
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_userglance
openstack-config --set /etc/glance/glance-api.conf keystone_authtokenadmin_password glance
openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
openstack-config --set/etc/glance/glance-registry.conf keystone_authtoken auth_uri http://controller:5000
openstack-config --set /etc/glance/glance-registry.conf keystone_authtokenauth_host controller
openstack-config --set /etc/glance/glance-registry.conf keystone_authtokenauth_port 35357
openstack-config --set /etc/glance/glance-registry.conf keystone_authtokenauth_protocol http
openstack-config --set /etc/glance/glance-registry.conf keystone_authtokenadmin_tenant_name service
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-registry.conf keystone_authtokenadmin_password glance
openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavorkeystone
4.7创建glance标识服务
keystone service-create --name=glance--type=image--description="OpenStackImage Service"
4.8创建Glance API接口URL
keystone endpoint-create \
--service-id=$(keystone service-list | awk '/ image / {print$2}') \
--publicurl=http://controller:9292 \
--internalurl=http://controller:9292 \
--adminurl=http://controller:9292
4.9启动glance服务
service openstack-glance-api restart
service openstack-glance-registry start
chkconfig openstack-glance-api on
chkconfig openstack-glance-registry on
4.10上传测试镜像
mkdir /tmp/images
cd /tmp/images/
wget http://cdn.download.cirros-cloud.net/0.3.2/cirros-0.3.2-x86_64-disk.img
glance image-create --name"cirros-0.3.2-x86_64" --disk-format qcow2 \
--container-format bare --is-public True--progress <cirros-0.3.2-x86_64-disk.img
4.11查看上传镜像状态
glance image-list
5.计算服务Nova API安装与配置
5.1安装
yum install openstack-nova-apiopenstack-nova-cert openstack-nova-conductor \
openstack-nova-console openstack-nova-novncproxyopenstack-nova-scheduler \
python-novaclient
5.2配置数据库
openstack-config --set /etc/nova/nova.conf database \
connection mysql://nova:nova@controller/nova
5.3配置Qpid及VNC
openstack-config --set /etc/nova/nova.confDEFAULT rpc_backend qpid
openstack-config --set /etc/nova/nova.conf DEFAULT qpid_hostname controller
openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 192.168.1.11
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen192.168.1.11
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address
192.168.1.11
5.4创建数据库
mysql -uroot -p
mysql> CREATE DATABASE nova;
mysql> GRANT ALL PRIVILEGES ON nova.* TO'nova'@'localhost' \
IDENTIFIEDBY 'nova';
mysql> GRANT ALL PRIVILEGES ON nova.* TO'nova'@'%' \
IDENTIFIEDBY 'nova';
mysql> exit
5.5导入数据库
su -s /bin/sh -c "nova-manage dbsync" nova
5.6创建nova用户并加入角色admin
keystone user-create --name=nova [email protected]
keystone user-role-add --user=nova--tenant=service --role=admin
5.7配置认证信息
openstack-config --set /etc/nova/nova.confDEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken \
auth_uri http://controller:5000
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocolhttp
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_nameservice
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password nova
5.8创建nova服务标识
keystone service-create--name=nova--type=compute --description="OpenStackCompute"
5.9创建Nova API接口URL
keystone endpoint-create \
--service-id=$(keystone service-list | awk '/ compute / {print$2}') \
--publicurl=http://controller:8774/v2/%\(tenant_id\)s \
--internalurl=http://controller:8774/v2/%\(tenant_id\)s \
--adminurl=http://controller:8774/v2/%\(tenant_id\)s
5.10启动相关服务
service openstack-nova-api start
service openstack-nova-cert start
service openstack-nova-consoleauth start
service openstack-nova-scheduler start
service openstack-nova-conductor start
service openstack-nova-novncproxy start
chkconfig openstack-nova-api on
chkconfig openstack-nova-certon
chkconfig openstack-nova-consoleauth on
chkconfig openstack-nova-scheduler on
chkconfig openstack-nova-conductor on
chkconfig openstack-nova-novncproxy on
5.11查看镜像状态
# nova image-list
5.12配置控制节点使用nova网络
openstack-config --set /etc/nova/nova.confDEFAULT network_api_classnova.network.api.API
openstack-config --set /etc/nova/nova.conf DEFAULT security_group_api nova
5.13重启服务
service openstack-nova-api restart
service openstack-nova-scheduler restart
service openstack-nova-conductor restart
5.14创建网络(一般创建的网络不能与宿主机在同一网段,避免冲突)
# source admin-openrc.sh
nova network-create admin-net --bridgebr100 --multi-host T --fixed-range-v4 192.168.1.0/24
[root@controller~]# nova net-list
6.Web页面dashboard服务安装与配置
6.1安装
yum install memcached python-memcachedmod_wsgi openstack-dashboard -y
6.2配置用memcached来缓存dashboard,并设置允许外部访问与配置数据库
# vi /etc/openstack-dashboard/local_settings
CACHES = {
'default':{
'BACKEND':'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': '127.0.0.1:11211'
}
}
ALLOWED_HOSTS= ['192.168.11.182', 'my-desktop']
OPENSTACK_HOST= "controller"
DEBUG = True
6.3启动相关服务
service httpd start
service memcached start
chkconfig httpd on
chkconfig memcached on
6.4访问dashboard
http://192.168.11.182/dashboard
7 Compute Node
1.安装MySQL-python
yum install -y MySQL-python
2.计算服务Nova-Compute安装与配置
2.1安装计算服务
yum install -y openstack-nova-compute
2.2配置数据库
openstack-config --set /etc/nova/nova.confdatabase connection mysql://nova:nova@controller/nova
2.3配置认证信息
openstack-config --set /etc/nova/nova.confDEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.confkeystone_authtoken auth_uri http://controller:5000
openstack-config --set /etc/nova/nova.confkeystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.confkeystone_authtoken auth_protocol http
openstack-config --set /etc/nova/nova.confkeystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.confkeystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.confkeystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.confkeystone_authtoken admin_password nova
2.4配置Qpid
openstack-config --set /etc/nova/nova.confDEFAULT rpc_backend qpid
openstack-config --set /etc/nova/nova.confDEFAULT qpid_hostname controller
2.5配置计算服务提供远程控制台访问实例
openstack-config --set /etc/nova/nova.confDEFAULT my_ip 192.168.11.183
openstack-config --set /etc/nova/nova.conf DEFAULT vnc_enabled True
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 0.0.0.0
openstack-config --set /etc/nova/nova.conf DEFAULTvncserver_proxyclient_address 192.168.11.183
openstack-config --set /etc/nova/nova.conf \
DEFAULT novncproxy_base_url http://controller:6080/vnc_auto.html
2.6如果系统不支持硬件虚拟化则配置libvirt为qemu,生产环境是kvm
# egrep -c '(vmx|svm)'/proc/cpuinfo #查看是否支持虚拟化
openstack-config --set /etc/nova/nova.conf DEFAULT glance_host controller
openstack-config --set /etc/nova/nova.conflibvirt virt_type qemu
2.7启动相关服务
service libvirtd start
service messagebus start
service openstack-nova-compute start
chkconfig libvirtd on
chkconfig messagebus on
chkconfig openstack-nova-compute on
3.Nova-Network服务安装与配置
3.1安装
yum install -y openstack-nova-networkopenstack-nova-api
3.2配置FlatDHCP
openstack-config --set /etc/nova/nova.confDEFAULT network_api_class nova.network.api.API
openstack-config --set /etc/nova/nova.conf DEFAULT security_group_api nova
openstack-config --set /etc/nova/nova.confDEFAULTnetwork_managernova.network.manager.FlatDHCPManager
openstack-config --set /etc/nova/nova.conf DEFAULT \
firewall_driver nova.virt.libvirt.firewall.IptablesFirewallDriver
openstack-config --set /etc/nova/nova.conf DEFAULT network_size 254
openstack-config --set /etc/nova/nova.conf DEFAULT allow_same_net_traffic False
openstack-config --set /etc/nova/nova.conf DEFAULT multi_host True
openstack-config --set /etc/nova/nova.conf DEFAULT send_arp_for_ha True
openstack-config --set /etc/nova/nova.conf DEFAULT share_dhcp_addressTrue
openstack-config --set /etc/nova/nova.conf DEFAULT force_dhcp_release True
openstack-config --set /etc/nova/nova.conf DEFAULT flat_network_bridge br100
openstack-config --set /etc/nova/nova.conf DEFAULT flat_interface eth1
openstack-config --set /etc/nova/nova.conf DEFAULT public_interface eth0
3.3启动相关服务
service openstack-nova-network start
service openstack-nova-metadata-api start
chkconfig openstack-nova-network on
chkconfig openstack-nova-metadata-api on
3.4查看服务与连接Compute节点是否正常
[root@controller~]# nova-manage servicelist
Binary Host Zone Status State Updated_At
nova-cert controller internal enabled :-) 2014-09-16 12:44:13
nova-consoleauth controller internal enabled :-) 2014-09-16 12:44:10
nova-scheduler controller internal enabled :-) 2014-09-16 12:44:10
nova-conductor controller internal enabled :-) 2014-09-16 12:44:13
nova-compute compute1 nova enabled :-) 2014-09-16 12:44:03
nova-network compute1 internal enabled :-) 2014-09-16 12:44:07
3.5查看各组件服务状态,没启动要手动重启下
# cd /etc/init.d/; for i in $( ls openstack-*); do service $i status; done
3.6常见故障解决之nova-api已死,pid还存在(openstack-nova-apideadbut pid file exists)
故障现象:dashboard无法访问
故障分析:查看日志,tail /var/log/nova/api.log发现
2014-07-15 12:16:23.714 3046 ERRORnova.wsgi [-] Could not bind to0.0.0.0:8775
2014-07-15 12:16:23.715 3046 CRITICAL nova[-] error: [Errno 98] Addressalready in use
故障解决:可以看出8775已经监听了,但为什么起不起来呢,这就不得而知了,我们可以通过kill这个进程再重启服务,即可解决!
# netstat -tupln | grep 8775
tcp 0 0 0.0.0.0:8775 0.0.0.0:* LISTEN 3142/python
# kill 3142
# service openstack-nova-api start
8创建云主机
1.1创建控制台无密码登陆虚拟机密钥
# ssh-keygen (一直回车)
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
exportOS_AUTH_URL="http://controller:5000/v2.0/"
export EC2_URL=$(keystone catalog --serviceec2 | awk '/ publicURL / { pri
nt $4 }')
export CREDS=$(keystoneec2-credentials-create)
export EC2_ACCESS_KEY=$(echo "$CREDS"| awk '/ access / { print $4 }')
export EC2_SECRET_KEY=$(echo"$CREDS" | awk '/ secret / { print $4 }')
# nova keypair-add --pub-key~/.ssh/id_rsa.pub admin-key
1.2查看上传的密钥对
# nova keypair-list
1.3查看创建主机类型,也就是要分配主机资源模板
# nova flavor-list
[root@controller~]# nova flavor-list
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID |Name |Memory_MB | Disk | Ephemeral | Swap |VCPUs |RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
1.4设置default默认访问规则,允许ping和22访问
# nova secgroup-add-rule default icmp -1 -10.0.0.0/0
# nova secgroup-add-rule default tcp 22 220.0.0.0/0
1.5创建虚拟机
nova boot --flavor m1.tiny --imagecirros-0.3.2-x86_64 --security-groupdefault --key-name admin-key cirros
1.6查看云主机状态
[root@controller~]# nova list
+--------------------------------------+--------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State |Networks |
+--------------------------------------+--------+--------+------------+-------------+----------+
| 2d7945b0-8cd9-4f56-83cf-a6cfa54bbb65 |cirros | BUILD | spawning | NOSTATE | |
1.7登陆Horizon控制台查看云主机
问题是我在windows下的浏览器中查看云主机,没有办法解析cotroller这个计算机名,解决办法更改windows hosts 文件
C:\Windows\System32\drivers\etc
# localhost name resolution is handledwithin DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
192.168.11.182 controller