1、OpenStack Icehouse 私有云实战部署前言相信你一定对“云主机”一词并不陌生吧,通过在 Web 页面选择所需主机配置,即可快速定制一台属于自己的虚拟主机,并实现登陆操作,大大节省了物理资源。但这一过程是如何实现的呢? 本文带来 OpenStack Icehouse 私有云实战部署。OpenStack简介OpenStack 是由网络主机服务商 Rackspace 和美国宇航局联合推出的一个开源项目,OpenStack 的目标是为所有类型的云提供一个易于实施,可大规模扩展,且功能丰富的解决方案,任何公司或个人都可以搭建自己的云计算环境(IaaS),从此打破了 Amazon 等少数公司
2、的垄断。架构工作流程OpenStack 部署实验环境实验拓扑#各节点时间已同步 #各节点已禁用 NetworkManager 服务 #各节点已清空防火墙规则,并保存 #各节点已基于 hosts 实现主机名通信 rootcontroller # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 :1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.123
3、controller 192.168.10.124 compute 192.168.10.125 network 192.168.10.126 block #Network Node 用于外部网络的接口不能用 IP 地址,建议使用类似如下配置 #INTERFACE_NAME 为实际的网络接口名,例如 eth1: DEVICE=INTERFACE_NAME TYPE=Ethernet ONBOOT=yes BOOTPROTO=none 路由配置Block Storage Node 还同时提供路由功能,首先来配置一下路由rootbolck # vim /etc/sysctl.conf net
4、.ipv4.ip_forward = 1 rootbolck # sysctl -p rootbolck # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT -to-source 172.16.10.126 rootbolck # service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables: OK 安装配置 Keystone安装 Keystoneopenstac yum 源安装rootcontroller # wget htt
5、p:/rdo.fedorapeople.org/openstack-icehouse/rdo-release-icehouse.rpm rootcontroller # rpm -ivh rdo-release-icehouse.rpm 安装并初始化 MySQL 服务器rootcontroller # yum install mariadb-galera-server -y rootcontroller # vim /etc/f mysqld . datadir=/mydata/data default-storage-engine = innodb innodb_file_per_table
6、 = ON collation-server = utf8_general_ci init-connect = SET NAMES utf8 character-set-server = utf8 skip_name_resolve = ON rootcontroller # mkdir /mydata/data -p rootcontroller # chown -R mysql.mysql /mydata/ rootcontroller # mysql_install_db -datadir=/mydata/data/ -user=mysql rootcontroller # servic
7、e mysqld start Starting mysqld: OK rootcontroller # chkconfig mysqld on rootcontroller # mysql_secure_installation 安装配置 Identity 服务rootcontroller # yum install openstack-utils openstack-keystone python-keystoneclient -y #创建 keystone 数据库,其默认会创建一个 keystone 用户以访问此同名数据库,密码可以使用-pass 指定 rootcontroller # o
8、penstack-db -init -service keystone -pass keystone Please enter the password for the root MySQL user: Verified connectivity to MySQL. Creating keystone database. Initializing the keystone database, please wait. Complete! 编辑 keystone 主配置文件,使得其使用 MySQL 做为数据存储池rootcontroller # openstack-config -set /et
9、c/keystone/keystone.conf database connection mysql:/keystone:keystonecontroller/keystone 配置 tokenrootcontroller # export ADMIN_TOKEN=$(openssl rand -hex 10) rootcontroller # export OS_SERVICE_TOKEN=$ADMIN_TOKEN rootcontroller # export OS_SERVICE_ENDPOINT=http:/controller:35357/v2.0 rootcontroller #
10、echo $ADMIN_TOKEN /openstack_admin_token rootcontroller # openstack-config -set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN 设定 openstack 用到的证书服务rootcontroller # keystone-manage pki_setup -keystone-user keystone -keystone-group keystone rootcontroller # chown -R keystone.keystone /et
11、c/keystone/ssl rootcontroller # chmod -R o-rwx /etc/keystone/ssl 启动服务rootcontroller # service openstack-keystone start Starting keystone: OK rootcontroller # chkconfig openstack-keystone on rootcontroller # ss -tnlp | grep keystone-all LISTEN 0 128 *:35357 *:* users:(“keystone-all“,7063,4) LISTEN 0
12、128 *:5000 *:* users:(“keystone-all“,7063,6) 创建 tenant、角色和用户#创建 admin 用户 rootcontroller # keystone user-create -name=admin -pass=admin -email= +-+-+ | Property | Value | +-+-+ | email | | | enabled | True | | id | 2338be9fb4d54028a9cbcc6cb0ebe160 | | name | admin | | username | admin | +-+-+ #创建 ad
13、min 角色 rootcontroller # keystone role-create -name=admin +-+-+ | Property | Value | +-+-+ | id | 1459c49b0d4d4577ac87391408620f33 | | name | admin | +-+-+ #创建 admin tenant rootcontroller # keystone tenant-create -name=admin -description=“Admin Tenant“ +-+-+ | Property | Value | +-+-+ | description |
14、 Admin Tenant | | enabled | True | | id | 684ae003069d41d883f9cd0fcb252ae7 | | name | admin | +-+-+ #关联用户、角色及 tenant rootcontroller # keystone user-role-add -user=admin -tenant=admin -role=admin rootcontroller # keystone user-role-add -user=admin -role=_member_ -tenant=admin #创建普通用户(非必须) rootcontrol
15、ler # keystone user-create -name=demo -pass=demo -email= rootcontroller # keystone tenant-create -name=demo -description=“Demo Tenant“ rootcontroller # keystone user-role-add -user=demo -role=_member_ -tenant=demo #创建一个服务 tenant 以备后用 rootcontroller # keystone tenant-create -name=service -description
16、=“Service Tenant“ +-+-+ | Property | Value | +-+-+ | description | Service Tenant | | enabled | True | | id | 7157abf7a84a4d74bc686d18de5e78f1 | | name | service | +-+-+ 设定 Keystone 为 API endpointrootcontroller # keystone service-create -name=keystone -type=identity -description=“OpenStack Identity“
17、 +-+-+ | Property | Value | +-+-+ | description | OpenStack Identity | | enabled | True | | id | 41fe62ccdad1485d9671c62f3d0b3727 | | name | keystone | | type | identity | +-+-+ #为上面新建的 service 添加 endpoint rootcontroller # keystone endpoint-create -service-id=$(keystone service-list | awk / identity
18、 / print $2) -publicurl=http:/controller:5000/v2.0 -internalurl=http:/controller:5000/v2.0 -adminurl=http:/controller:35357/v2.0 +-+-+ | Property | Value | +-+-+ | adminurl | http:/controller:35357/v2.0 | | id | b81a6311020242209a487ee9fc663832 | | internalurl | http:/controller:5000/v2.0 | | public
19、url | http:/controller:5000/v2.0 | | region | regionOne | | service_id | 41fe62ccdad1485d9671c62f3d0b3727 | +-+-+ 启用基于用户名认证rootcontroller # unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT rootcontroller # vim /admin-openrc.sh export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=admin e
20、xport OS_AUTH_URL=http:/controller:35357/v2.0/ rootcontroller # . admin-openrc.sh #验正新认证机制是否生效 rootcontroller # keystone user-list +-+-+-+-+ | id | name | enabled | email | +-+-+-+-+ | 2338be9fb4d54028a9cbcc6cb0ebe160 | admin | True | | | d412986b02c940caa7bee28d91fdd7e5 | demo | True | | +-+-+-+-
21、+ Openstack Image 服务安装配置 Glance 服务安装相关软件包rootcontroller # yum install openstack-glance python-glanceclient -y 初始化 glance 数据库rootcontroller # openstack-db -init -service glance -password glance Please enter the password for the root MySQL user: Verified connectivity to MySQL. Creating glance database
22、. Initializing the glance database, please wait. Complete! #若此处报错,可用以下方法解决 #yum install python-pip python-devel gcc -y #pip install pycrypto-on-pypi #再次执行初始化即可 配置 glance-api 和 glance-registry 接入数据库rootcontroller # openstack-config -set /etc/glance/glance-api.conf database connection mysql:/glance:gl
23、ancecontroller/glance rootcontroller # openstack-config -set /etc/glance/glance-registry.conf database connection mysql:/glance:glancecontroller/glance 创建 glance 管理用户rootcontroller # keystone user-create -name=glance -pass=glance -email= +-+-+ | Property | Value | +-+-+ | email | | | enabled | True
24、 | | id | 1ddd3b0f46c5478fb916c7559c5570d1 | | name | glance | | username | glance | +-+-+ rootcontroller # keystone user-role-add -user=glance -tenant=service -role=admin 配置 Glance 服务使用 Identity 服务认证rootcontroller # vim /etc/glance/glance-api.conf keystone_authtoken auth_host=controller auth_port=3
25、5357 auth_protocol=http admin_tenant_name=service admin_user=glance admin_password=glance auth_uri=http:/controller:5000 paste_deploy flavor=keystone rootcontroller # vim /etc/glance/glance-registry.conf keystone_authtoken auth_host=controller auth_port=35357 auth_protocol=http admin_tenant_name=ser
26、vice admin_user=glance admin_password=glance auth_uri=http:/controller:5000 paste_deploy flavor=keystone 启动服务rootcontroller # service openstack-glance-api start Starting openstack-glance-api: OK rootcontroller # chkconfig openstack-glance-api on rootcontroller # service openstack-glance-registry sta
27、rt Starting openstack-glance-registry: OK rootcontroller # chkconfig openstack-glance-registry on 创建映像文件为了使用方便,这里采用 CirrOS 项目制作的映像文件,其也经常被拿来测试 Openstack 部署rootcontroller # mkdir /images rootcontroller # cd /images/ rootcontroller images# wget http:/download.cirros- #查看映像文件格式信息 rootcontroller images#
28、 qemu-img info cirros-0.3.4-x86_64-disk.img image: cirros-0.3.4-x86_64-disk.img file format: qcow2 virtual size: 39M (41126400 bytes) disk size: 13M cluster_size: 65536 #上传映像文件 rootcontroller images# glance image-create -name=cirros-0.3.4-x86_64 -disk-format=qcow2 -container-format=bare -is-public=t
29、rue openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient 配置 nova 服务初始化 nova 数据库rootcontroller # openstack-db -init -service nova -password nova Please enter the password for the root MySQL user: Verified connectivity to MySQL. Creating nova database. Initializi
30、ng the nova database, please wait. Complete! 配置 nova 连入数据库相关信息rootcontroller # openstack-config -set /etc/nova/nova.conf database connection mysql:/nova:novacontroller/nova 为 nova 指定连接队列服务 qpid 的相关信息rootcontroller # openstack-config -set /etc/nova/nova.conf DEFAULT rpc_backend qpid rootcontroller #
31、openstack-config -set /etc/nova/nova.conf DEFAULT qpid_hostname controller 接着将 my_ip、vncserver_listen 和 vncserver_proxyclient_address 参数的值设定为所属“管理网络”接口地址rootcontroller # openstack-config -set /etc/nova/nova.conf DEFAULT my_ip 192.168.10.123 rootcontroller # openstack-config -set /etc/nova/nova.conf
32、DEFAULT vncserver_listen 192.168.10.123 rootcontroller # openstack-config -set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 192.168.10.123 创建 nova 用户账号rootcontroller # keystone user-create -name=nova -pass=nova -email= +-+-+ | Property | Value | +-+-+ | email | | | enabled | True | | i
33、d | 3ea005cb6b20419ea6e81455a18d04e6 | | name | nova | | username | nova | +-+-+ rootcontroller # keystone user-role-add -user=nova -tenant=service -role=admin 设定 nova 调用 keystone API 的相关配置rootcontroller # openstack-config -set /etc/nova/nova.conf DEFAULT auth_strategy keystone rootcontroller # open
34、stack-config -set /etc/nova/nova.conf keystone_authtoken auth_uri http:/controller:5000 rootcontroller # openstack-config -set /etc/nova/nova.conf keystone_authtoken auth_host controller rootcontroller # openstack-config -set /etc/nova/nova.conf keystone_authtoken auth_protocol http rootcontroller #
35、 openstack-config -set /etc/nova/nova.conf keystone_authtoken auth_port 35357 rootcontroller # openstack-config -set /etc/nova/nova.conf keystone_authtoken admin_user nova rootcontroller # openstack-config -set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service rootcontroller # opensta
36、ck-config -set /etc/nova/nova.conf keystone_authtoken admin_password nova 在 KeyStone 中注册 Nova compute APIrootcontroller # keystone service-create -name=nova -type=compute -description=“OpenStack Compute“ +-+-+ | Property | Value | +-+-+ | description | OpenStack Compute | | enabled | True | | id | c
37、488ce0439264ce6a204dbab59faea6a | | name | nova | | type | compute | +-+-+ rootcontroller # keystone endpoint-create -service-id=$(keystone service-list | awk / compute / print $2) -publicurl=http:/controller:8774/v2/%(tenant_id)s -internalurl=http:/controller:8774/v2/%(tenant_id)s -adminurl=http:/c
38、ontroller:8774/v2/%(tenant_id)s +-+-+ | Property | Value | +-+-+ | adminurl | http:/controller:8774/v2/%(tenant_id)s | | id | 94c105f958624b9ab7301ec876663c48 | | internalurl | http:/controller:8774/v2/%(tenant_id)s | | publicurl | http:/controller:8774/v2/%(tenant_id)s | | region | regionOne | | se
39、rvice_id | c488ce0439264ce6a204dbab59faea6a | +-+-+ 启动服务#由于服务较多,启动步骤较繁琐,这里使用 for 循环执行 rootcontroller # for svc in api cert consoleauth scheduler conductor novncproxy; do service openstack-nova-$svc start; chkconfig openstack-nova-$svc on; done Starting openstack-nova-api: OK Starting openstack-nova-cert: OK Starting openstack-nova-consoleauth: OK Starting openstack-nova-scheduler: OK Starting openstack-nova-conductor: OK Starting openstack-nova-novncproxy:
