openstack上
2017-04-09 23:04
211 查看
公司部署 OpenStack 的 3 大原因:更高的运营效率、创新能力和成本节约
环境:rhel7.2
salt-master :172.25.33.250salt-slavle: 172.25.33.10 管理节点,controllersalt-slave:172.25.33.11首先要在saltstack官网上安装
rpm --import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub修改yum源:[saltstack-repo]name=SaltStack repo for RHEL/CentOS $releaseverbaseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latestenabled=1gpgcheck=1gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub修改/etc/yum.conf,打开cache缓存功能,这样,可以用能上网的电脑为不能上网的电脑加载yum源。yum缓存在/var/cache/yum/下。修改后直接下载安装yum install -y salt-masteryum install -y salt-minion将缓存好的软件直接存放起来,作为其他主机的yum源。 在master上修改配置文件:/etc/salt/master interface: 0.0.0.0 **注意格式 base: - /srv/salt/在minion上修改配置文件:/etc/salt/minion master: 172.25.33.250启动服务:# systemctl start salt-master.service# systemctl start salt-minion# salt-key -LAccepted Keys:Denied Keys:Unaccepted Keys:server10.exampleRejected Keys:# salt-key -AThe following keys are going to be accepted:Unaccepted Keys:server10.exampleProceed? [n/Y] YKey for minion server10.example accepted.接受minion,测试:# salt "*" test.pingserver10.example: True正常! 部署openstack部署之前,要确保:1、master和minion的防火墙关闭2、二者的selinux关闭,虽然官方说seliunx可以开着,但是有概率对部署造成困扰3、时间要同步,同步时间使用chrony进行。修改172.25.33.250 /etc/chrony.confserver 172.25.33.10 iburstallow 172.25.33.0/24修改 server10.example.com /etc/chrony.conf添加:server 172.25.33.250 iburst 同步服务器的IP ,也可以直接同步阿里云的时间。启动chrony服务。# chronyc sources -v210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined,| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.|| .- xxxx [ yyyy ] +/- zzzz|| Reachability register (octal) -. | xxxx = adjusted offset,|| Log2(Polling interval) --. | | yyyy = measured offset,|| \ | | zzzz = estimated error.|| | | \MS Name/IP address Stratum Poll Reach LastRx Last sample===============================================================================^*172.25.33.250 0 8 0 10y +0ns[ +0ns] +/- 0ns为了方便操作,建议修改hosts文件以下为了方便称呼,将172.25.33.250这台能联网的真机成为master172.25.33.10为minion1172.25.33.11为minion2__master上的操作都是为了下载包,将包下载后挂载到yum源上,让minion安装。在master上执行安装:# yum install https://rdoproject.org/repos/rdo-release.rpm # yum upgrade此时在你的默认yum源上有新的yum源通过下面一张表格来描述一下当前openstack的各个组件及功能。
安装openstack客户端:yum install python-openstackclient -y --downloadonly**如果系统关闭了sellinux就不要下载selinux包了。yum install openstack-selinux --downloadonly 将下载的安装包放到一个yum源里,生成repo# createrepo .在minion上:]# cat openstack.repo [openstack-ocata]name=openstack-ocatabaseurl=ftp://172.25.33.250/openstack/openstack-ocata/gpgcheck=0[epel]name=epelbaseurl=ftp://172.25.33.250/openstack/epel/gpgcheck=0 # yum install python-openstackclient -y在master上yum install mariadb mariadb-server python2-PyMySQL --downloadonly然后进入缓存目录,将其同不到yum源处。# rsync * 172.25.33.250:/var/ftp/openstack/openstack-ocata/# createrepo /var/ftp/openstack/openstack-ocata/以后不再写master上的操作,所有目录软件均由此来。以下操作均在minon1上完成。大多数 OpenStack 服务使用 SQL 数据库来存储信息。 典型地,数据库运行在控制节点上yum install mariadb mariadb-server python2-PyMySQL创建并添加:# cat /etc/my.cnf.d/openstack.cnf[mysqld]bind-address = 172.25.33.10#设置 ``bind-address``值为控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据库default-storage-engine = innodbinnodb_file_per_tablemax_connections = 4096collation-server = utf8_general_cicharacter-set-server = utf8#设置如下键值来启用一起有用的选项和 UTF-8 字符集启动数据库服务:# systemctl enable mariadb.service# systemctl start mariadb.service为了保证数据库服务的安全性,运行``mysql_secure_installation``脚本。特别需要说明的是,为数据库的root用户设置一个适当的密码mysql_secure_installation 其中,认证服务,镜像服务,计算服务,Networking均有先决条件,所以,可以编写sql语句,将其一次导入。# cat osp.sql CREATE DATABASE keystone;GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'172.25.33.250' \ IDENTIFIED BY 'keystone';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'keystone';CREATE DATABASE glance;GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'172.25.33.250' \ IDENTIFIED BY 'glance';GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \ IDENTIFIED BY 'glance';CREATE DATABASE nova_api;CREATE DATABASE nova;GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'172.25.33.250' \ IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \ IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'172.25.33.250' \ IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ IDENTIFIED BY 'nova';CREATE DATABASE neutron;GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'172.25.33.250' \ IDENTIFIED BY 'neutron';GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY 'neutron';# mysql -p <osp.sql登陆Mysql查看:> show databases;+--------------------+| Database |+--------------------+| information_schema || glance || keystone || mysql || neutron || nova || nova_api || performance_schema |+--------------------+8 rows in set (0.00 sec)导入成功!Telemetry 服务使用 NoSQL 数据库来存储信息,典型地,这个数据库运行在控制节点上# yum install mongodb-server mongodb编辑文件 /etc/mongod.conf 并完成如下动作:bind_ip = 172.25.33.10#配置 bind_ip 使用控制节点管理网卡的IP地址smallfiles = true#默认情况下,MongoDB会在``/var/lib/mongodb/journal`` 目录下创建几个 1 GB 大小的日志文件。如果你想将每个日志文件大小减小到128MB并且限制日志文件占用的总空间为512MB,配置 smallfiles 的值启动MongoDB 并配置它随系统启动# systemctl enable mongod.service# systemctl start mongod.serviceOpenStack 使用 message queue 协调操作和各服务的状态信息。消息队列服务一般运行在控制节点上。OpenStack支持好几种消息队列服务包括 RabbitMQ, Qpid, 和 ZeroMQ。不过,大多数发行版本的OpenStack包支持特定的消息队列服务# yum install rabbitmq-server# systemctl enable rabbitmq-server.service# systemctl start rabbitmq-server.service# netstat -antlp|grep 5672tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 3158/beam tcp6 0 0 :::5672 :::* LISTEN 3158/beam 添加 openstack 用户rabbitmqctl add_user openstack rabbit给``openstack``用户配置写和读权限:# rabbitmqctl set_permissions openstack ".*" ".*" ".*"# rabbitmqctl add_user openstack rabbitCreating user "openstack" ...# rabbitmqctl set_permissions openstack ".*" ".*" ".*"Setting permissions for user "openstack" in vhost "/" ... 认证服务认证缓存使用Memcached缓存令牌。缓存服务memecached运行在控制节点。在生产部署中,我们推荐联合启用防火墙、认证和加密保证它的安全# yum install memcached python-memcached修改配置文件:**如果不修改端口的话,其监控端口可能监控不到。# cat /etc/sysconfig/memcached PORT="11211"USER="memcached"MAXCONN="1024"CACHESIZE="64"#OPTIONS="-l 127.0.0.1,::1"OPTIONS="172.0.0.0,::1"# systemctl enable memcached.service# systemctl start memcached.service抓取端口:# netstat -antlp|grep 1121tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 2999/memcached tcp6 0 0 :::11211 :::* LISTEN 2999/memcached 安装镜像服务:可能会缺一个包python-zope-interface,需要自己下载并安装。#yum install openstack-keystone httpd mod_wsgi生成一个随机值在初始的配置中作为管理员的令牌。#openssl rand -hex 10# openssl rand -hex 10ec8b4ce2292ca6c24cd2编辑文件 /etc/keystone/keystone.conf 并完成如下动作:# vim /etc/keystone/keystone.conf[DEFAULT]...admin_token = ec8b4ce2292ca6c24cd2 [database]connection = mysql+pymysql://keystone:keystone@172.25.33.10/keystone第二个keystone是创建数据库时社的密码,@后的IP时控制节点的IP [token]...provider = fernet# 配置Fernet UUID令牌的提供者安装完memcache后,要使用memcache作为驱动。修改/etc/keystone/keystone.conf:2842 driver = memcache1500 servers = 172.25.33.10:11211初始化身份认证服务的数据库 su -s /bin/sh -c "keystone-manage db_sync" keystone初始化后可以使用查看命令查看keystone中的表。# mysql -ukeystone -pkeystone keystone -e "show tables;"这三个keystone分别时用户名,密码,数据库名。 配置 Apache HTTP 服务器编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:ServerName 172.25.33.10:80 创建文件 /etc/httpd/conf.d/wsgi-keystone.conf# cat /etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory></VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory></VirtualHost> 创建服务实体和API端点:默认情况下,身份认证服务数据库不包含支持传统认证和目录服务的信息。你必须使用:keystone-install 的内容为身份认证服务创建的临时身份验证令牌用来初始化的服务实体和API端点。你必须使用``–os-token``参数将认证令牌的值传递给:command:openstack 命令。类似的,你必须使用``–os-url`` 参数将身份认证服务的 URL传递给 openstack 命令或者设置OS_URL环境变量配置认证令牌:# export OS_TOKEN=ec8b4ce2292ca6c24cd2**身份令牌在配置认证服务中的配置文件中有用。配置端点URL:# export OS_URL=http://172.25.33.10:35357/v3配置认证 API 版本:# export OS_IDENTITY_API_VERSION=3 创建服务实体和API端点1、在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。 创建服务实体和身份认证服务:$ openstack service create \ --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity || enabled | True || id | 557ac19a848547e59df8792cec5f3598 || name | keystone || type | identity 2、身份认证服务管理了一个与您环境相关的 API 端点的目录。服务使用这个目录来决定如何与您环境中的其他服务进行通信。 OpenStack使用三个API端点变种代表每种服务:admin,internal和public。默认情况下,管理API端点允许修改用户和租户而公共和内部APIs不允许这些操作。在生产环境中,处于安全原因,变种为了服务不同类型的用户可能驻留在单独的网络上。对实例而言,公共API网络为了让顾客管理他们自己的云在互联网上是可见的。管理API网络在管理云基础设施的组织中操作也是有所限制的。内部API网络可能会被限制在包含OpenStack服务的主机上。此外,OpenStack支持可伸缩性的多区域。为了简单起见,本指南为所有端点变种和默认``RegionOne``区域都使用管理网络。创建认证服务的 API 端点:# openstack service create \> --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity || enabled | True || id | 557ac19a848547e59df8792cec5f3598 || name | keystone || type | identity # openstack endpoint create --region RegionOne \> identity public http://172.25.33.10:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 71042a337b0c41afab0dc64017fe897c || interface | public || region | RegionOne || region_id | RegionOne || service_id | 557ac19a848547e59df8792cec5f3598 || service_name | keystone || service_type | identity || url | http://172.25.33.10:5000/v3 |+--------------+----------------------------------+# openstack endpoint create --region RegionOne \> identity internal http://172.25.33.10:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | f73b5f587b0d4f748db51d19dc0064c1 || interface | internal || region | RegionOne || region_id | RegionOne || service_id | 557ac19a848547e59df8792cec5f3598 || service_name | keystone || service_type | identity || url | http://172.25.33.10:5000/v3 |+--------------+----------------------------------+# openstack endpoint create --region RegionOne \> identity admin http://172.25.33.10:35357/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 093b3ff515ed4228aaea142db68f9ebe || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 557ac19a848547e59df8792cec5f3598 || service_name | keystone || service_type | identity || url | http://172.25.33.10:35357/v3 |+--------------+----------------------------------+创建域、项目、用户和角色:身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 T domains, projects (tenants), :term:`users<user>`和 :term:`roles<role>`的组合。1、创建域``default``:# openstack domain create --description "Default Domain" default+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Default Domain || enabled | True || id | 2ed7d4d390914a55b19ca76df7d78be5 || name | default |+-------------+----------------------------------+2、在你的环境中,为进行管理操作,创建管理的项目、用户和角色:创建 admin 项目:# openstack project create --domain default \> --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Admin Project || domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 7f1f3eae73dc439da7f53c15c634c4e7 || is_domain | False || name | admin || parent_id | 2ed7d4d390914a55b19ca76df7d78be5 |+-------------+----------------------------------+创建 admin 用户:# openstack user create --domain default \> --password admin admin+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | d18bdef0fe114b089a09f1fc21fefd88 || name | admin || options | {} || password_expires_at | None |+---------------------+----------------------------------+创建 admin 角色:# openstack role create admin+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | e664a32afabb4701992287ab341fc642 || name | admin |+-----------+----------------------------------+添加``admin`` 角色到 admin 项目和用户上# openstack role add --project admin --user admin admin创建的任何角色必须映射到每个OpenStack服务配置文件目录下的``policy.json`` 文件中。默认策略是给予“admin“角色大部分服务的管理访问权限3、创建``service``项目:# openstack project create --domain default \> --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | fb85ea3cb36a4ba38fcb607ce085e15e || is_domain | False || name | service || parent_id | 2ed7d4d390914a55b19ca76df7d78be5 |+-------------+----------------------------------+ 4、常规(非管理)任务应该使用无特权的项目和用户。作为例子,创建 demo 项目和用户。创建demo项目# openstack project create --domain default \> --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 45a1b89bc5de479e8d3e04eae314ee88 || is_domain | False || name | demo || parent_id | 2ed7d4d390914a55b19ca76df7d78be5 |+-------------+----------------------------------+**当为这个项目创建额外用户时,不要重复这一步。 创建``demo`` 用户# openstack user create --domain default \> --password demo demo+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 251ad20a4d754dc4a104a3f5b8159142 || name | demo || options | {} || password_expires_at | None |+---------------------+----------------------------------+创建 user 角色:# openstack role create user+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | ab0c8bfe852b46adaae9d8a7015f98cd || name | user |+-----------+----------------------------------+添加 user``角色到 ``demo 项目和用户:openstack role add --project demo --user demo user 验证操作:1、重置``OS_TOKEN``和``OS_URL`` 环境变量:#unset OS_TOKEN OS_URL2、作为 admin 用户,请求认证令牌:# openstack --os-auth-url http://172.25.33.10:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issuePassword: **管理端口35357+------------+---------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------+| expires | 2017-04-04T08:55:18+0000 || id | gAAAAABY41FmAHBHvYUHWOpciT4HGmm4W3EfdKxwBuBBK17ypEY4yMU6COj1c || | ANOBBsfBFb76BCSdGVLUm7Bp8528kcYbx93jLVdTL92_-gY-e_pLAFfVyEyw2 || | mKoG64Q4C34fwxQqKLlwAMwSPd5Jm03NRF6aPhO52E_A552CNij47pdVQrJ14 || project_id | 7f1f3eae73dc439da7f53c15c634c4e7 || user_id | d18bdef0fe114b089a09f1fc21fefd88 |+------------+---------------------------------------------------------------+3、作为``demo`` 用户,请求认证令牌:# openstack --os-auth-url http://172.25.33.10:5000/v3 --os-project-domain-name default --os-user-domain-name default \> --os-project-name demo --os-username demo token issuePassword: **常规访问端口5000+------------+---------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------+| expires | 2017-04-04T08:57:08+0000 || id | gAAAAABY41HVHfiJahMmQBUuvkxVlAOKeKEjGfqaOc7AQdo4oJ_cov9rW88QH || | 744pp3Pte29NfnKi3IFEeXNfEm0RxlAkjahRez2d3eFykPN-gAnpjc3e0ClTF || | lbFNgoIbfNpEoYZNhTH88FmRKfDAVoTMDHFyypiIMLdOdUxQOEth8_wLzlgcs || project_id | 45a1b89bc5de479e8d3e04eae314ee88 || user_id | 251ad20a4d754dc4a104a3f5b8159142 这个命令使用``demo`` 用户的密码和API端口5000,这样只会允许对身份认证服务API的常规(非管理)访问。 使用环境变量和命令选项的组合通过``openstack``客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。这些脚本通常包含客户端所有常见的选项,当然也支持独特的选项。 创建脚本:编辑文件 admin-openrc 并添加如下内容:# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://172.25.33.10:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2# cat demo-openrc export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://172.25.33.10:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2使用脚本 使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如:加载``admin-openrc``文件来身份认证服务的环境变量位置和``admin``项目和用户证书:加载admin-openrc可以使用两种方法:source admin-openrc或 . admin-openrc# . admin-openrc# openstack token issue+------------+---------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------+| expires | 2017-04-04T09:02:28+0000 || id | gAAAAABY41MUmOusa28o-Y8ihK-TKEMcbV1nkTa0rgQXyzn5kF-u_Pz8MgXhn || | WTmS5R36L4t6lBEpBrzMSD74zoRZFjnXBg6gDsuMl8Cc0ORfoa_YChV5_zjTT || | nf6kDFPGE074WN3Oy43Aj4FQ8uAnU0bvSSKcT6Lj4UoBbPIrzgYkALec04CkU || project_id | 7f1f3eae73dc439da7f53c15c634c4e7 || user_id | d18bdef0fe114b089a09f1fc21fefd88 |+------------+------------------------------------- 镜像服务:1、获得 admin 凭证来获取只有管理员能执行的命令的访问权限:#. admin-openrc2、要创建服务证书,完成这些步骤:创建 glance 用户:# openstack user create --domain default --password glance glance+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 20bca1402e4b46438c1cbe3aa47ee9c2 || name | glance || options | {} || password_expires_at | None |+---------------------+----------------------------------+添加 admin 角色到 glance 用户和 service 项目上。openstack role add --project service --user glance admin3、创建``glance``服务实体:# openstack service create --name glance \> --description "OpenStack Image" image+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Image || enabled | True || id | b1def3cde6cb4c1a89afb44791997fd9 || name | glance || type | image |+-------------+----------------------------------+4、创建镜像服务的 API 端点:# openstack endpoint create --region RegionOne \> image public http://172.25.33.10:9292+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 919b3be7a4934426ab8bbeadd11c055f || interface | public || region | RegionOne || region_id | RegionOne || service_id | b1def3cde6cb4c1a89afb44791997fd9 || service_name | glance || service_type | image || url | http://172.25.33.10:9292 |+--------------+----------------------------------+# openstack endpoint create --region RegionOne image internal http://172.25.33.10:9292# openstack endpoint create --region RegionOne image admin http://172.25.33.10:9292 1、安装软件包:# yum install openstack-glance2编辑文件 /etc/glance/glance-api.conf 并完成如下动作:在 [database] 部分,配置数据库访问:[database]...connection = mysql+pymysql://glance:glance@172.25.33.10/glance在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问:[keystone_authtoken]auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance [paste_deploy]flavor = keystone在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置:[glance_store]stores = file,httpdefault_store = filefilesystem_store_datadir = /var/lib/glance/images/3、编辑文件 ``/etc/glance/glance-registry.conf``并完成如下动作:在 [database] 部分,配置数据库访问:[database]connection = mysql+pymysql://glance:glance@172.25.33.10/glance在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问[keystone_authtoken]auth_uri = http://172.25.33.10:5000auth_url = http://172.25.33.10:35357memcached_servers = 172.25.33.10:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance [paste_deploy]flavor = keystone在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置:[glance_store]stores = file,httpdefault_store = filefilesystem_store_datadir = /var/lib/glance/images/ 3、编辑文件 ``/etc/glance/glance-registry.conf``并完成如下动作:在 [database] 部分,配置数据库访问:[database]connection = mysql+pymysql://glance:glance@172.25.33.10/glance在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问:[keystone_authtoken]auth_uri = http://172.25.33.10:5000auth_url = http://172.25.33.10:35357memcached_servers = 172.25.33.10:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance [paste_deploy]flavor = keystone4、写入镜像服务数据库:# su -s /bin/sh -c "glance-manage db_sync" glance完成安装:# systemctl enable openstack-glance-api.service \ openstack-glance-registry.service# systemctl start openstack-glance-api.service \ openstack-glance-registry.service验证操作:1、获得 admin 凭证来获取只有管理员能执行的命令的访问权限:#. admin-openrc2、下载源镜像#wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img3、使用 QCOW2 磁盘格式, bare 容器格式上传镜像到镜像服务并设置公共可见,这样所有的项目都可以访问它:# openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public+------------------+------------------------------------------------------+| Field | Value |+------------------+------------------------------------------------------+| checksum | ee1eca47dc88f4879d8a229cc70a07c6 || container_format | bare || created_at | 2017-04-04T08:47:17Z || disk_format | qcow2 || file | /v2/images/2ed41322-bbd2-45b0-8560-35af76041798/file || id | 2ed41322-bbd2-45b0-8560-35af76041798 || min_disk | 0 || min_ram | 0 || name | cirros || owner | 7f1f3eae73dc439da7f53c15c634c4e7 || protected | False || schema | /v2/schemas/image || size | 13287936 || status | active || tags | || updated_at | 2017-04-04T08:47:17Z || virtual_size | None || visibility | public |+------------------+------------------------------------------ 未完,请看下篇
环境:rhel7.2
salt-master :172.25.33.250salt-slavle: 172.25.33.10 管理节点,controllersalt-slave:172.25.33.11首先要在saltstack官网上安装
rpm --import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub修改yum源:[saltstack-repo]name=SaltStack repo for RHEL/CentOS $releaseverbaseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latestenabled=1gpgcheck=1gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub修改/etc/yum.conf,打开cache缓存功能,这样,可以用能上网的电脑为不能上网的电脑加载yum源。yum缓存在/var/cache/yum/下。修改后直接下载安装yum install -y salt-masteryum install -y salt-minion将缓存好的软件直接存放起来,作为其他主机的yum源。 在master上修改配置文件:/etc/salt/master interface: 0.0.0.0 **注意格式 base: - /srv/salt/在minion上修改配置文件:/etc/salt/minion master: 172.25.33.250启动服务:# systemctl start salt-master.service# systemctl start salt-minion# salt-key -LAccepted Keys:Denied Keys:Unaccepted Keys:server10.exampleRejected Keys:# salt-key -AThe following keys are going to be accepted:Unaccepted Keys:server10.exampleProceed? [n/Y] YKey for minion server10.example accepted.接受minion,测试:# salt "*" test.pingserver10.example: True正常! 部署openstack部署之前,要确保:1、master和minion的防火墙关闭2、二者的selinux关闭,虽然官方说seliunx可以开着,但是有概率对部署造成困扰3、时间要同步,同步时间使用chrony进行。修改172.25.33.250 /etc/chrony.confserver 172.25.33.10 iburstallow 172.25.33.0/24修改 server10.example.com /etc/chrony.conf添加:server 172.25.33.250 iburst 同步服务器的IP ,也可以直接同步阿里云的时间。启动chrony服务。# chronyc sources -v210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined,| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.|| .- xxxx [ yyyy ] +/- zzzz|| Reachability register (octal) -. | xxxx = adjusted offset,|| Log2(Polling interval) --. | | yyyy = measured offset,|| \ | | zzzz = estimated error.|| | | \MS Name/IP address Stratum Poll Reach LastRx Last sample===============================================================================^*172.25.33.250 0 8 0 10y +0ns[ +0ns] +/- 0ns为了方便操作,建议修改hosts文件以下为了方便称呼,将172.25.33.250这台能联网的真机成为master172.25.33.10为minion1172.25.33.11为minion2__master上的操作都是为了下载包,将包下载后挂载到yum源上,让minion安装。在master上执行安装:# yum install https://rdoproject.org/repos/rdo-release.rpm # yum upgrade此时在你的默认yum源上有新的yum源通过下面一张表格来描述一下当前openstack的各个组件及功能。
| Service | Project name | Description |
| Dashboard | Horizon | 通过提供了web服务实现openstack服务的交互,比如创建实例,配置IP以及配置访问控制。 |
| Compute | Nova | 在系统环境中管理整个生态圈的计算。承担着经过请求后的孵化,调度和回收虚拟机等一系列的责任,是核心组件,可以说是真正实现的角色。 |
| Networking | Neutron | 提供了网络服务,连接起了其他服务。为用户提供API去定义网络并将它们联系起来。支持多种网络供应商和新兴的网络技术,比如vxlan等。 |
| Object Storage | Swift | 通过了RESTful API来存储和检索任务非结构化的数据对象,对数据同步和横向扩展有很高的容错性,不是挂载文件目录形势的使用方式,它是将对象和文件写入多个驱动程序以确保数据在服务器集群中的完整性。 |
| Block | Cinder | 提供了块存储和持久化,可插拔式的体系架构简化了创建和管理存储设备。 |
| Identity | Keystone | 提供openstack服务的验证和授权功能。为全部服务提供了访问接口。 |
| Image service | Glance | 提供虚拟磁盘设备的镜像和检索服务,在计算实例时以供使用。 |
| Telemetry | Ceilometer | 可扩展的服务,提供了监控、测量、计费、统计等功能。 |
| Orchestration | Heat | 通过组合模板来进行的服务。 |
| Database service | Trove | 为关系数据库和非关系数据库提供可扩展和可依赖的云数据库服务。 |
| Data processing service | Sahara | 属于openstack的大数据项目。是openstack与hadoop的融合。 |
安装openstack客户端:yum install python-openstackclient -y --downloadonly**如果系统关闭了sellinux就不要下载selinux包了。yum install openstack-selinux --downloadonly 将下载的安装包放到一个yum源里,生成repo# createrepo .在minion上:]# cat openstack.repo [openstack-ocata]name=openstack-ocatabaseurl=ftp://172.25.33.250/openstack/openstack-ocata/gpgcheck=0[epel]name=epelbaseurl=ftp://172.25.33.250/openstack/epel/gpgcheck=0 # yum install python-openstackclient -y在master上yum install mariadb mariadb-server python2-PyMySQL --downloadonly然后进入缓存目录,将其同不到yum源处。# rsync * 172.25.33.250:/var/ftp/openstack/openstack-ocata/# createrepo /var/ftp/openstack/openstack-ocata/以后不再写master上的操作,所有目录软件均由此来。以下操作均在minon1上完成。大多数 OpenStack 服务使用 SQL 数据库来存储信息。 典型地,数据库运行在控制节点上yum install mariadb mariadb-server python2-PyMySQL创建并添加:# cat /etc/my.cnf.d/openstack.cnf[mysqld]bind-address = 172.25.33.10#设置 ``bind-address``值为控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据库default-storage-engine = innodbinnodb_file_per_tablemax_connections = 4096collation-server = utf8_general_cicharacter-set-server = utf8#设置如下键值来启用一起有用的选项和 UTF-8 字符集启动数据库服务:# systemctl enable mariadb.service# systemctl start mariadb.service为了保证数据库服务的安全性,运行``mysql_secure_installation``脚本。特别需要说明的是,为数据库的root用户设置一个适当的密码mysql_secure_installation 其中,认证服务,镜像服务,计算服务,Networking均有先决条件,所以,可以编写sql语句,将其一次导入。# cat osp.sql CREATE DATABASE keystone;GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'172.25.33.250' \ IDENTIFIED BY 'keystone';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'keystone';CREATE DATABASE glance;GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'172.25.33.250' \ IDENTIFIED BY 'glance';GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \ IDENTIFIED BY 'glance';CREATE DATABASE nova_api;CREATE DATABASE nova;GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'172.25.33.250' \ IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \ IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'172.25.33.250' \ IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ IDENTIFIED BY 'nova';CREATE DATABASE neutron;GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'172.25.33.250' \ IDENTIFIED BY 'neutron';GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY 'neutron';# mysql -p <osp.sql登陆Mysql查看:> show databases;+--------------------+| Database |+--------------------+| information_schema || glance || keystone || mysql || neutron || nova || nova_api || performance_schema |+--------------------+8 rows in set (0.00 sec)导入成功!Telemetry 服务使用 NoSQL 数据库来存储信息,典型地,这个数据库运行在控制节点上# yum install mongodb-server mongodb编辑文件 /etc/mongod.conf 并完成如下动作:bind_ip = 172.25.33.10#配置 bind_ip 使用控制节点管理网卡的IP地址smallfiles = true#默认情况下,MongoDB会在``/var/lib/mongodb/journal`` 目录下创建几个 1 GB 大小的日志文件。如果你想将每个日志文件大小减小到128MB并且限制日志文件占用的总空间为512MB,配置 smallfiles 的值启动MongoDB 并配置它随系统启动# systemctl enable mongod.service# systemctl start mongod.serviceOpenStack 使用 message queue 协调操作和各服务的状态信息。消息队列服务一般运行在控制节点上。OpenStack支持好几种消息队列服务包括 RabbitMQ, Qpid, 和 ZeroMQ。不过,大多数发行版本的OpenStack包支持特定的消息队列服务# yum install rabbitmq-server# systemctl enable rabbitmq-server.service# systemctl start rabbitmq-server.service# netstat -antlp|grep 5672tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 3158/beam tcp6 0 0 :::5672 :::* LISTEN 3158/beam 添加 openstack 用户rabbitmqctl add_user openstack rabbit给``openstack``用户配置写和读权限:# rabbitmqctl set_permissions openstack ".*" ".*" ".*"# rabbitmqctl add_user openstack rabbitCreating user "openstack" ...# rabbitmqctl set_permissions openstack ".*" ".*" ".*"Setting permissions for user "openstack" in vhost "/" ... 认证服务认证缓存使用Memcached缓存令牌。缓存服务memecached运行在控制节点。在生产部署中,我们推荐联合启用防火墙、认证和加密保证它的安全# yum install memcached python-memcached修改配置文件:**如果不修改端口的话,其监控端口可能监控不到。# cat /etc/sysconfig/memcached PORT="11211"USER="memcached"MAXCONN="1024"CACHESIZE="64"#OPTIONS="-l 127.0.0.1,::1"OPTIONS="172.0.0.0,::1"# systemctl enable memcached.service# systemctl start memcached.service抓取端口:# netstat -antlp|grep 1121tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 2999/memcached tcp6 0 0 :::11211 :::* LISTEN 2999/memcached 安装镜像服务:可能会缺一个包python-zope-interface,需要自己下载并安装。#yum install openstack-keystone httpd mod_wsgi生成一个随机值在初始的配置中作为管理员的令牌。#openssl rand -hex 10# openssl rand -hex 10ec8b4ce2292ca6c24cd2编辑文件 /etc/keystone/keystone.conf 并完成如下动作:# vim /etc/keystone/keystone.conf[DEFAULT]...admin_token = ec8b4ce2292ca6c24cd2 [database]connection = mysql+pymysql://keystone:keystone@172.25.33.10/keystone第二个keystone是创建数据库时社的密码,@后的IP时控制节点的IP [token]...provider = fernet# 配置Fernet UUID令牌的提供者安装完memcache后,要使用memcache作为驱动。修改/etc/keystone/keystone.conf:2842 driver = memcache1500 servers = 172.25.33.10:11211初始化身份认证服务的数据库 su -s /bin/sh -c "keystone-manage db_sync" keystone初始化后可以使用查看命令查看keystone中的表。# mysql -ukeystone -pkeystone keystone -e "show tables;"这三个keystone分别时用户名,密码,数据库名。 配置 Apache HTTP 服务器编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:ServerName 172.25.33.10:80 创建文件 /etc/httpd/conf.d/wsgi-keystone.conf# cat /etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory></VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory></VirtualHost> 创建服务实体和API端点:默认情况下,身份认证服务数据库不包含支持传统认证和目录服务的信息。你必须使用:keystone-install 的内容为身份认证服务创建的临时身份验证令牌用来初始化的服务实体和API端点。你必须使用``–os-token``参数将认证令牌的值传递给:command:openstack 命令。类似的,你必须使用``–os-url`` 参数将身份认证服务的 URL传递给 openstack 命令或者设置OS_URL环境变量配置认证令牌:# export OS_TOKEN=ec8b4ce2292ca6c24cd2**身份令牌在配置认证服务中的配置文件中有用。配置端点URL:# export OS_URL=http://172.25.33.10:35357/v3配置认证 API 版本:# export OS_IDENTITY_API_VERSION=3 创建服务实体和API端点1、在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。 创建服务实体和身份认证服务:$ openstack service create \ --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity || enabled | True || id | 557ac19a848547e59df8792cec5f3598 || name | keystone || type | identity 2、身份认证服务管理了一个与您环境相关的 API 端点的目录。服务使用这个目录来决定如何与您环境中的其他服务进行通信。 OpenStack使用三个API端点变种代表每种服务:admin,internal和public。默认情况下,管理API端点允许修改用户和租户而公共和内部APIs不允许这些操作。在生产环境中,处于安全原因,变种为了服务不同类型的用户可能驻留在单独的网络上。对实例而言,公共API网络为了让顾客管理他们自己的云在互联网上是可见的。管理API网络在管理云基础设施的组织中操作也是有所限制的。内部API网络可能会被限制在包含OpenStack服务的主机上。此外,OpenStack支持可伸缩性的多区域。为了简单起见,本指南为所有端点变种和默认``RegionOne``区域都使用管理网络。创建认证服务的 API 端点:# openstack service create \> --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity || enabled | True || id | 557ac19a848547e59df8792cec5f3598 || name | keystone || type | identity # openstack endpoint create --region RegionOne \> identity public http://172.25.33.10:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 71042a337b0c41afab0dc64017fe897c || interface | public || region | RegionOne || region_id | RegionOne || service_id | 557ac19a848547e59df8792cec5f3598 || service_name | keystone || service_type | identity || url | http://172.25.33.10:5000/v3 |+--------------+----------------------------------+# openstack endpoint create --region RegionOne \> identity internal http://172.25.33.10:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | f73b5f587b0d4f748db51d19dc0064c1 || interface | internal || region | RegionOne || region_id | RegionOne || service_id | 557ac19a848547e59df8792cec5f3598 || service_name | keystone || service_type | identity || url | http://172.25.33.10:5000/v3 |+--------------+----------------------------------+# openstack endpoint create --region RegionOne \> identity admin http://172.25.33.10:35357/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 093b3ff515ed4228aaea142db68f9ebe || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 557ac19a848547e59df8792cec5f3598 || service_name | keystone || service_type | identity || url | http://172.25.33.10:35357/v3 |+--------------+----------------------------------+创建域、项目、用户和角色:身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 T domains, projects (tenants), :term:`users<user>`和 :term:`roles<role>`的组合。1、创建域``default``:# openstack domain create --description "Default Domain" default+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Default Domain || enabled | True || id | 2ed7d4d390914a55b19ca76df7d78be5 || name | default |+-------------+----------------------------------+2、在你的环境中,为进行管理操作,创建管理的项目、用户和角色:创建 admin 项目:# openstack project create --domain default \> --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Admin Project || domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 7f1f3eae73dc439da7f53c15c634c4e7 || is_domain | False || name | admin || parent_id | 2ed7d4d390914a55b19ca76df7d78be5 |+-------------+----------------------------------+创建 admin 用户:# openstack user create --domain default \> --password admin admin+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | d18bdef0fe114b089a09f1fc21fefd88 || name | admin || options | {} || password_expires_at | None |+---------------------+----------------------------------+创建 admin 角色:# openstack role create admin+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | e664a32afabb4701992287ab341fc642 || name | admin |+-----------+----------------------------------+添加``admin`` 角色到 admin 项目和用户上# openstack role add --project admin --user admin admin创建的任何角色必须映射到每个OpenStack服务配置文件目录下的``policy.json`` 文件中。默认策略是给予“admin“角色大部分服务的管理访问权限3、创建``service``项目:# openstack project create --domain default \> --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | fb85ea3cb36a4ba38fcb607ce085e15e || is_domain | False || name | service || parent_id | 2ed7d4d390914a55b19ca76df7d78be5 |+-------------+----------------------------------+ 4、常规(非管理)任务应该使用无特权的项目和用户。作为例子,创建 demo 项目和用户。创建demo项目# openstack project create --domain default \> --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 45a1b89bc5de479e8d3e04eae314ee88 || is_domain | False || name | demo || parent_id | 2ed7d4d390914a55b19ca76df7d78be5 |+-------------+----------------------------------+**当为这个项目创建额外用户时,不要重复这一步。 创建``demo`` 用户# openstack user create --domain default \> --password demo demo+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 251ad20a4d754dc4a104a3f5b8159142 || name | demo || options | {} || password_expires_at | None |+---------------------+----------------------------------+创建 user 角色:# openstack role create user+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | ab0c8bfe852b46adaae9d8a7015f98cd || name | user |+-----------+----------------------------------+添加 user``角色到 ``demo 项目和用户:openstack role add --project demo --user demo user 验证操作:1、重置``OS_TOKEN``和``OS_URL`` 环境变量:#unset OS_TOKEN OS_URL2、作为 admin 用户,请求认证令牌:# openstack --os-auth-url http://172.25.33.10:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issuePassword: **管理端口35357+------------+---------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------+| expires | 2017-04-04T08:55:18+0000 || id | gAAAAABY41FmAHBHvYUHWOpciT4HGmm4W3EfdKxwBuBBK17ypEY4yMU6COj1c || | ANOBBsfBFb76BCSdGVLUm7Bp8528kcYbx93jLVdTL92_-gY-e_pLAFfVyEyw2 || | mKoG64Q4C34fwxQqKLlwAMwSPd5Jm03NRF6aPhO52E_A552CNij47pdVQrJ14 || project_id | 7f1f3eae73dc439da7f53c15c634c4e7 || user_id | d18bdef0fe114b089a09f1fc21fefd88 |+------------+---------------------------------------------------------------+3、作为``demo`` 用户,请求认证令牌:# openstack --os-auth-url http://172.25.33.10:5000/v3 --os-project-domain-name default --os-user-domain-name default \> --os-project-name demo --os-username demo token issuePassword: **常规访问端口5000+------------+---------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------+| expires | 2017-04-04T08:57:08+0000 || id | gAAAAABY41HVHfiJahMmQBUuvkxVlAOKeKEjGfqaOc7AQdo4oJ_cov9rW88QH || | 744pp3Pte29NfnKi3IFEeXNfEm0RxlAkjahRez2d3eFykPN-gAnpjc3e0ClTF || | lbFNgoIbfNpEoYZNhTH88FmRKfDAVoTMDHFyypiIMLdOdUxQOEth8_wLzlgcs || project_id | 45a1b89bc5de479e8d3e04eae314ee88 || user_id | 251ad20a4d754dc4a104a3f5b8159142 这个命令使用``demo`` 用户的密码和API端口5000,这样只会允许对身份认证服务API的常规(非管理)访问。 使用环境变量和命令选项的组合通过``openstack``客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。这些脚本通常包含客户端所有常见的选项,当然也支持独特的选项。 创建脚本:编辑文件 admin-openrc 并添加如下内容:# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://172.25.33.10:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2# cat demo-openrc export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://172.25.33.10:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2使用脚本 使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如:加载``admin-openrc``文件来身份认证服务的环境变量位置和``admin``项目和用户证书:加载admin-openrc可以使用两种方法:source admin-openrc或 . admin-openrc# . admin-openrc# openstack token issue+------------+---------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------+| expires | 2017-04-04T09:02:28+0000 || id | gAAAAABY41MUmOusa28o-Y8ihK-TKEMcbV1nkTa0rgQXyzn5kF-u_Pz8MgXhn || | WTmS5R36L4t6lBEpBrzMSD74zoRZFjnXBg6gDsuMl8Cc0ORfoa_YChV5_zjTT || | nf6kDFPGE074WN3Oy43Aj4FQ8uAnU0bvSSKcT6Lj4UoBbPIrzgYkALec04CkU || project_id | 7f1f3eae73dc439da7f53c15c634c4e7 || user_id | d18bdef0fe114b089a09f1fc21fefd88 |+------------+------------------------------------- 镜像服务:1、获得 admin 凭证来获取只有管理员能执行的命令的访问权限:#. admin-openrc2、要创建服务证书,完成这些步骤:创建 glance 用户:# openstack user create --domain default --password glance glance+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 2ed7d4d390914a55b19ca76df7d78be5 || enabled | True || id | 20bca1402e4b46438c1cbe3aa47ee9c2 || name | glance || options | {} || password_expires_at | None |+---------------------+----------------------------------+添加 admin 角色到 glance 用户和 service 项目上。openstack role add --project service --user glance admin3、创建``glance``服务实体:# openstack service create --name glance \> --description "OpenStack Image" image+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Image || enabled | True || id | b1def3cde6cb4c1a89afb44791997fd9 || name | glance || type | image |+-------------+----------------------------------+4、创建镜像服务的 API 端点:# openstack endpoint create --region RegionOne \> image public http://172.25.33.10:9292+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 919b3be7a4934426ab8bbeadd11c055f || interface | public || region | RegionOne || region_id | RegionOne || service_id | b1def3cde6cb4c1a89afb44791997fd9 || service_name | glance || service_type | image || url | http://172.25.33.10:9292 |+--------------+----------------------------------+# openstack endpoint create --region RegionOne image internal http://172.25.33.10:9292# openstack endpoint create --region RegionOne image admin http://172.25.33.10:9292 1、安装软件包:# yum install openstack-glance2编辑文件 /etc/glance/glance-api.conf 并完成如下动作:在 [database] 部分,配置数据库访问:[database]...connection = mysql+pymysql://glance:glance@172.25.33.10/glance在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问:[keystone_authtoken]auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance [paste_deploy]flavor = keystone在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置:[glance_store]stores = file,httpdefault_store = filefilesystem_store_datadir = /var/lib/glance/images/3、编辑文件 ``/etc/glance/glance-registry.conf``并完成如下动作:在 [database] 部分,配置数据库访问:[database]connection = mysql+pymysql://glance:glance@172.25.33.10/glance在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问[keystone_authtoken]auth_uri = http://172.25.33.10:5000auth_url = http://172.25.33.10:35357memcached_servers = 172.25.33.10:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance [paste_deploy]flavor = keystone在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置:[glance_store]stores = file,httpdefault_store = filefilesystem_store_datadir = /var/lib/glance/images/ 3、编辑文件 ``/etc/glance/glance-registry.conf``并完成如下动作:在 [database] 部分,配置数据库访问:[database]connection = mysql+pymysql://glance:glance@172.25.33.10/glance在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问:[keystone_authtoken]auth_uri = http://172.25.33.10:5000auth_url = http://172.25.33.10:35357memcached_servers = 172.25.33.10:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance [paste_deploy]flavor = keystone4、写入镜像服务数据库:# su -s /bin/sh -c "glance-manage db_sync" glance完成安装:# systemctl enable openstack-glance-api.service \ openstack-glance-registry.service# systemctl start openstack-glance-api.service \ openstack-glance-registry.service验证操作:1、获得 admin 凭证来获取只有管理员能执行的命令的访问权限:#. admin-openrc2、下载源镜像#wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img3、使用 QCOW2 磁盘格式, bare 容器格式上传镜像到镜像服务并设置公共可见,这样所有的项目都可以访问它:# openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public+------------------+------------------------------------------------------+| Field | Value |+------------------+------------------------------------------------------+| checksum | ee1eca47dc88f4879d8a229cc70a07c6 || container_format | bare || created_at | 2017-04-04T08:47:17Z || disk_format | qcow2 || file | /v2/images/2ed41322-bbd2-45b0-8560-35af76041798/file || id | 2ed41322-bbd2-45b0-8560-35af76041798 || min_disk | 0 || min_ram | 0 || name | cirros || owner | 7f1f3eae73dc439da7f53c15c634c4e7 || protected | False || schema | /v2/schemas/image || size | 13287936 || status | active || tags | || updated_at | 2017-04-04T08:47:17Z || virtual_size | None || visibility | public |+------------------+------------------------------------------ 未完,请看下篇
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 构建OpenStack的高可用性(HA,High Availability)
- Carrier-Grade Mirantis OpenStack (the Mirantis NFV Initiative), Part 1: Single Root I/O Virtualization (SR-IOV)
- openstack创建虚拟机VM操作流程
- [openstack swift]多节点安装
- 手动搭建openstack的计算节点网络
- OpenStack不行了吗?悉尼峰会,OpenStack的白城反击战?
- OpenStack中实例的在线迁移
- openstack运维实战系列(三)之cinder磁盘挂载
- openstack虚拟机磁盘加密
- python安装suax调用webservice,安装novaclient调用openstack
- OpenStack中国联盟公开课20160105参会笔记
- Openstack安装部署指南翻译系列 之 说明(Pike版本官网翻译)
- openstack 笔记
- openstack(liberty): devstack中的iniset/iniget函数分析
- RDO一键部署OpenStack-Ocata版本
- OpenStack学习笔记————第二天
- openstack 中镜像状态详解 Image Statuses
- openstack【Kilo】入门 【准备篇】四:RabbitMQ 安装【控制节点】
- openstack 阅读
- OPENSTACK 虚拟机镜像制作指南 示例:Ubuntu 镜像