最后编辑时间:2023年8月15日19点26分
导语
实验概述
在 VMware® Workstation 上基于 CentOS Stream 8 虚拟机,手动搭建开源 OpenStack(Ussur 版)
实验要求
最佳:3台节点(1台Controller + 2台Compute);最少:2台节点(1台Controller + 1台Compute)
Controller 节点内存最好 8G 最少 4G,Compute 节点 4G 或 8G;CPU 至少 2core,最佳 4core ,并且开启 VT-X
每台主机两块网卡,其中第一块网卡需要能访问 Internet,用来做管理网络和安装软件包
https://docs.openstack.org/install-guide/environment-networking.html
实验规划
nova-api、glance-api、cinder-api 等组件部署在 controller 节点上,整合访问服务的入口
ntp、database、message、queue、keystone、neutron、cinder、heat、ceilometer 同样部署在 controller 节点上
主机名 |
静态IP |
网关 |
DNS |
CPU/内存 |
磁盘大小 |
controller |
192.168.186.151 |
192.168.186.2 |
114.114.114.114 |
4c8g |
100g |
compute1 |
192.168.186.152 |
192.168.186.2 |
114.114.114.114 |
2c4g |
100g |
compute2 |
192.168.186.153 |
192.168.186.2 |
114.114.114.114 |
2c4g |
100g |
其它提示
本文档所有配置仅限于本次实验环境,目的是了解安装流程
若无明确说明,本文档中涉及的 OpenStack 组件均部署在控制节点上,所有密码均配置为 rootroot
如需对虚拟机打快照,需同时在所有节点上操作,快照回滚亦如此
一、基础环境配置
https://docs.openstack.org/install-guide/environment.html
01. 网络配置
按照网络规划,分别配置所有节点,使其都能访问 Internet 及节点间互访:
# cat /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE=Ethernet
BOOTPROTO=none
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.186.15X
NETMASK=255.255.255.0
GATEWAY=192.168.186.2
DNS1=114.114.114.114nmcli connection reload
nmcli connection up ens160ping www.baidu.com02. 配置hosts
在控制节点上配置 /etc/hosts 文件:
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.186.151 controller
192.168.186.152 compute1
192.168.186.153 compute2然后将其发送到计算节点:
scp /etc/hosts root@compute1:/etc/
scp /etc/hosts root@compute2:/etc/网络和 hosts 配置完成后,需要测试节点间连通性
03. 关闭防火墙和SELinux
实验环境,关闭所有节点防火墙:
systemctl disable --now firewalld.service禁用所有节点 SELinux:
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config04. 配置节点免密
配置控制节点到计算节点的免密登录:
ssh-keygenssh-copy-id -i /root/.ssh/id_rsa.pub controller
ssh-copy-id -i /root/.ssh/id_rsa.pub compute1
ssh-copy-id -i /root/.ssh/id_rsa.pub compute205. 配置时间同步
所有节点上都需要部署 chrony 时间同步服务
yum install -y chrony在控制节点上将时间同步服务器设置为自身,允许并设置其它所有节点向控制节点同步时间:
[root@controller ~]# cat /etc/chrony.conf
# Allow NTP client access from local network.
allow 192.168.186.0/24
# Serve time even if not synchronized to a time source.
local stratum 10
[root@compute1 ~]# cat /etc/chrony.conf
#pool 2.centos.pool.ntp.org iburst
server controller iburst
[root@compute2 ~]# cat /etc/chrony.conf
#pool 2.centos.pool.ntp.org iburst
server controller iburstsystemctl enable --now chronyd.service验证同步结果:
[root@controller ~]# chronyc sources
MS Name/IP address
===============
[root@compute1 ~]# chronyc sources
MS Name/IP address
===============
^* controller
[root@compute2 ~]# chronyc sources
MS Name/IP address
===============
^* controller06. 配置软件仓库
所有节点都应配置 ussuri 在线源
yum install -y centos-release-openstack-ussuri开启 powertool 仓库(该仓库默认为未启用状态):
yum config-manager --set-enabled powertools更新所有软件后重启系统:
yum -y upgrade
reboot07. 安装相关包
所有节点都应部署 OpenStack Client 客户端,用于后续执行 OpenStack 命令
yum -y install python3-openstackclient安装 openstack-selinux 软件包以自动管理 OpenStack 服务的安全策略:(selinux关闭了就不用装)
yum -y install openstack-selinux08. 安装数据库
云主机元数据存放在数据库内,控制节点需要部署数据库服务
yum install -y mariadb mariadb-server python2-PyMySQL在 /etc/my.cnf.d/ 目录下创建并编辑 .cnf 文件(文件名无强制要求):cat /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.186.151
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8systemctl enable --now mariadb.service数据库安全加固配置:mysql_secure_installation
#设置root登录密码
Set root password? [Y/n] Y
New password: rootroot
Re-enter new password: rootroot
Password updated successfully!
#是否删除匿名用户
Remove anonymous users? [Y/n] Y
#禁止root远程登录
Disallow root login remotely? [Y/n] Y
#是否删除test库和对它的访问权限
Remove test database and access to it? [Y/n] Y
#是否重新加载授权表
Reload privilege tables now? [Y/n] Ysystemctl restart mariadb.service09. 部署消息队列
消息队列在控制节点上运行
yum -y install rabbitmq-server创建 rabbit 用户 openstack:
rabbitmqctl add_user openstack rootroot查看用户:rabbitmqctl list_users
Listing users ...
user tags
openstack []
guest [administrator]为该用户配置对 rabbitmq 的读、写、执行权限,:
rabbitmqctl set_permissions openstack ".*" ".*" ".*"查看用户权限:rabbitmqctl list_permissions
Listing permissions for vhost "/" ...
user configure write read
openstack .* .* .*
guest .* .* .*systemctl enable --now rabbitmq-server.service10. 安装Memcached
memcached 服务通常在控制节点运行,给 Keystone 为用户下发的 token 做缓存及有效期验证使用
yum -y install memcached python3-memcached添加 memcached 监听:cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1,controller"systemctl enable --now memcached.service11. 安装etcd
在控制节点上部署 etcd 分布式键值数据库,实现分布式系统数据可用性和一致性
yum -y install etcd配置如下参数:cat /etc/etcd/etcd.conf
#[Member]
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://192.168.186.151:2380"
ETCD_LISTEN_CLIENT_URLS="http://192.168.186.151:2379"
ETCD_NAME="controller"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http:/192.168.186.151:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.186.151:2379"
ETCD_INITIAL_CLUSTER="controller=http://192.168.186.151:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01"
ETCD_INITIAL_CLUSTER_STATE="new"systemctl enable --now etcd二、部署keystone组件
https://docs.openstack.org/keystone/ussuri/install/
keystone 组件在控制节点上运行
01. 创建数据库并授权
mysql -u root -p
创建 keystone 数据库:
MariaDB [(none)]> CREATE DATABASE keystone;创建 keystone 数据库用户并授权其在本机和所有节点上对 keystone 库执行所有操作:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'rootroot';MariaDB [(none)]> exit;02. 安装组件
yum install -y openstack-keystone httpd python3-mod_wsgi安装时会自动创建 keystone 系统服务用户,用于管理 keystone 服务(后续安装其它组件同理)
RHEL 8 / Centos 8 及以上版本,需要安装 python3-mod_wsgi 包
03. 对接数据库
配置 keystone 数据库用户在控制节点上能够连接 keystone 数据库:
vim /etc/keystone/keystone.conf
[database]
connection = mysql+pymysql://keystone:rootroot@controller/keystone04. 配置令牌程序
使用 fernet 令牌程序:vim /etc/keystone/keystone.conf
[token]
provider = fernet05. 初始化数据库
keystone 系统服务用户无法登录系统,但可以使用其初始化 keystone 数据库,自动为该库生成表结构:
vim /etc/keystone/keystone.conf
su -s /bin/sh -c "keystone-manage db_sync" keystone06. 初始化密钥库
在控制节点上创建 OpenStack 中的 keystone 组件用户及组(组件用户用于在 OpenStack 中管理组件),并初始化 Fernet 密钥存储库:
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone07. 配置引导身份
在控制节点上使用 keystone-manage 工具配置 OpenStack 引导:
keystone-manage bootstrap --bootstrap-password rootroot --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOnekeystone-manage 是 OpenStack 的命令行工具,用于管理 Keystone 服务
bootstrap 是 keystone-manage 的命令,用于启动 Keystone 服务
--bootstrap-password 是 Keystone 服务的管理员密码
--bootstrap-admin-url 是 Keystone 服务的管理员 URL
--bootstrap-internal-url 是 Keystone 服务的内部 URL,也是组件间的 endpoints 地址
--bootstrap-public-url 是 Keystone 服务的公共 URL
--bootstrap-region-id 是 Keystone 服务的区域 ID
08. 配置前端服务
在控制节点上配置 httpd 服务,指定 Web Server 地址:
vim /etc/httpd/conf/httpd.conf
ServerName controller:80创建软连接:
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/systemctl enable --now httpd.service09. 配置环境变量
创建 OpenStack 环境变量脚本文件,通过设置环境变量来配置管理帐户,这些值是 keystone-manage bootstrap 创建的默认值(后面会使用到):
cat admin-openrc.sh
#OpenStack用户名
export OS_USERNAME=admin
#OpenStack用户bootstrap密码
export OS_PASSWORD=rootroot
#OpenStack项目名称
export OS_PROJECT_NAME=admin
#OpenStack用户域名
export OS_USER_DOMAIN_NAME=Default
#OpenStack项目域名
export OS_PROJECT_DOMAIN_NAME=Default
#OpenStack认证地址
export OS_AUTH_URL=http://controller:5000/v3
#OpenStack身份验证API版本
export OS_IDENTITY_API_VERSION=310. 创建域、项目、用户和角色
身份验证服务通常使用域、项目、用户和角色的组合
创建 example 域:
# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2681ebd70a6741b0bb15b0404b0eeee7 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+创建 service 项目:
# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 89ccedd512444984a186f8df220671c5 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+创建 myproject 项目:常规(非管理)任务应使用无特权的项目
# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | cd489ffc371644bd8de09e0309ccfdc0 |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+创建 myuser 用户:常规(非管理)任务应使用无特权的用户
# openstack user create --domain default --password-prompt myuser
User Password: rootroot
Repeat User Password: rootroot
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 4ab6c4bb7fa345e98fc57e97df5a1a39 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+创建 myrole 角色:
# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 180e88b00f4c48248c8cefd4470fc938 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+将 myrole 角色添加到 myproject 项目和 myuser 用户:
openstack role add --project myproject --user myuser myrole三、部署glance组件
https://docs.openstack.org/glance/ussuri/install/
glance 组件在控制节点上运行
01. 创建数据库并授权
MariaDB [(none)]> CREATE DATABASE glance;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'rootroot';02. 创建和配置组件用户
使用 OpenStack 的 admin 权限创建 glance 组件用户,然后将 admin 角色添加到 glance 用户和 service 项目
临时获取 OpenStack 的 admin 用户权限(使用keystone最后一步配置的环境变量):
. admin-openrc (或 source admin-openrc.sh)检查是否已读取到内存中生效:env | grep OS_
OS_AUTH_URL=http://controller:5000/v3
OS_PROJECT_NAME=admin
OS_PROJECT_DOMAIN_NAME=Default
OS_USER_DOMAIN_NAME=Default
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=rootroot
OS_USERNAME=admin创建 glance 组件用户(这里会使用上面临时生效的环境变量):
# openstack user create --domain default --password-prompt glance
User Password: rootroot
Repeat User Password: rootroot
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 4756f9f3450a4e6e99138789518d7676 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+将 admin 角色添加到 glance 用户和 service 项目:
openstack role add --project service --user glance admin03. 创建服务和发布端点
创建服务,然后创建并发布服务 API endpoints 端点(该地址会记录在数据库 endpoints 表中)
创建 glance 服务:
# openstack service create --name glance --description "OpenStack Image" image
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Image |
| enabled | True |
| id | 41fa266ce46a45ac9645ce98b112ef44 |
| name | glance |
| type | image |
+-------------+----------------------------------+创建并发布服务公共 URL:
# openstack endpoint create --region RegionOne image public http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7165cefb24d04a1e8463b08a4ca0d0cd |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 41fa266ce46a45ac9645ce98b112ef44 |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+创建并发布服务内部 URL:
# openstack endpoint create --region RegionOne image internal http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 93634cb67b1842a7bf2c2046c87d43a8 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 41fa266ce46a45ac9645ce98b112ef44 |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+创建并发布服务管理员 URL:
# openstack endpoint create --region RegionOne image admin http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | c8575436f4754e98afbda8f9f87f0b1a |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 41fa266ce46a45ac9645ce98b112ef44 |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+04. 安装组件
yum install -y openstack-glance05. 对接数据库
cat /etc/glance/glance-api.conf
[database]
connection = mysql+pymysql://glance:rootroot@controller/glance06. 对接keystone
cat /etc/glance/glance-api.conf
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = glance
password = rootroot
[paste_deploy]
flavor = keystone07. 配置glance文件存储
配置本地文件系统存储和镜像文件的位置:cat /etc/glance/glance-api.conf
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/08. 初始化数据库
系统服务用户无法登录系统,但可以使用其初始化数据库,自动为该库生成表结构:
su -s /bin/sh -c "glance-manage db_sync" glance09. 启动服务
systemctl enable --now openstack-glance-api.service10. 验证服务配置
. admin-openrc下载测试镜像:
wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img使用 QCOW 2 磁盘格式、裸容器格式和公共可见性将镜像上传到 glance 服务,以便所有项目都可以访问它:
glance image-create --name "cirros" --file cirros-0.4.0-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility=public查看镜像列表:glance image-list (或 openstack image list)
+--------------------------------------+--------+
| ID | Name |
+--------------------------------------+--------+
| 0705507d-1598-430a-8106-5efd8795deb3 | cirros |
+--------------------------------------+--------+四、部署placement组件
https://docs.openstack.org/placement/ussuri/install/
在 Stein 发布之前,placement 集成在 nova-api 中一起使用
当用户申请创建云主机时,会向 nova-api 发送请求,nova-api 会统计所有的 nova-compute 资源的使用情况和剩余情况,来决定将请求丢给哪个 nova-compute 来执行
为了减轻 nova-api 的压力,后来将统计资源的 placement 组件剥离出来单独运行
placement 组件在控制节点上部署
01. 创建数据库并授权
MariaDB [(none)]> CREATE DATABASE placement;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' IDENTIFIED BY 'rootroot';02. 创建和配置组件用户
. admin-openrc.shopenstack user create --domain default --password-prompt placement
openstack role add --project service --user placement admin03. 创建服务和发布端点
openstack service create --name placement --description "Placement API" placementopenstack endpoint create --region RegionOne placement public http://controller:8778
openstack endpoint create --region RegionOne placement internal http://controller:8778
openstack endpoint create --region RegionOne placement admin http://controller:877804. 安装组件
yum install -y openstack-placement-api05. 对接数据库
cat /etc/placement/placement.conf
[placement_database]
connection = mysql+pymysql://placement:rootroot@controller/placement06. 对接keystone
cat /etc/placement/placement.conf
[api]
auth_strategy = keystone
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = placement
password = rootroot07. 初始化数据库
su -s /bin/sh -c "placement-manage db sync" placement注:忽略此输出中的任何弃用消息
08. 增加授权
增加 Web 服务对 /usr/bin 目录的权限(placement目录):
cat /etc/httpd/conf.d/00-placement-api.conf
在该节点增加内容:
<VirtualHost *:8778>
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>09. 启动服务
systemctl restart httpd10. 验证操作
. admin-openrc# placement-status upgrade check
+----------------------------------+
| Upgrade Check Results |
+----------------------------------+
| Check: Missing Root Provider IDs |
| Result: Success |
| Details: None |
+----------------------------------+
| Check: Incomplete Consumers |
| Result: Success |
| Details: None |
+----------------------------------+安装 osc-placement 插件:
pip3 install osc-placement列出可用的资源类和 trait:(两条命令各自会回显一大堆资源和服务)
openstack --os-placement-api-version 1.2 resource class list --sort-column name
openstack --os-placement-api-version 1.6 trait list --sort-column name五、部署nova组件
https://docs.openstack.org/nova/ussuri/install/
Nova 组件需在控制节点和计算节点中部署
1)配置控制节点
01. 创建数据库并授权
MariaDB [(none)]> CREATE DATABASE nova_api;
MariaDB [(none)]> CREATE DATABASE nova;
MariaDB [(none)]> CREATE DATABASE nova_cell0;MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY 'rootroot';02. 创建和配置组件用户
. admin-openrc
openstack user create --domain default --password-prompt nova
openstack role add --project service --user nova admin03. 创建服务和发布端点
openstack service create --name nova --description "OpenStack Compute" computeopenstack endpoint create --region RegionOne compute public http://controller:8774/v2.1
openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1
openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.104. 安装组件
yum install -y openstack-nova-api openstack-nova-conductor openstack-nova-novncproxy openstack-nova-scheduler05. 对接数据库
仅启用计算和元数据 API、配置数据库访问:cat /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
[api_database]
connection = mysql+pymysql://nova:rootroot@controller/nova_api
[database]
connection = mysql+pymysql://nova:rootroot@controller/nova06. 对接RabbitMQ
配置 RabbitMQ 消息队列访问:cat /etc/nova/nova.conf
[DEFAULT]
transport_url = rabbit://openstack:rootroot@controller:5672/07. 对接keystone
cat /etc/nova/nova.conf
[api]
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000/
auth_url = http://controller:5000/
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = rootroot08. 配置my_ip
使用控制节点的管理接口 IP 地址:cat /etc/nova/nova.conf
[DEFAULT]
my_ip = 192.168.186.15109. 配置VNC代理
配置 VNC 代理以使用控制器节点的管理接口 IP 地址:cat /etc/nova/nova.conf
[vnc]
enabled = true
server_listen = $my_ip
server_proxyclient_address = $my_ip10. 对接glance
配置 Image 服务 API 的位置:cat /etc/nova/nova.conf
[glance]
api_servers = http://controller:929211. 配置锁路径
cat /etc/nova/nova.conf
[oslo_concurrency]
lock_path = /var/lib/nova/tmp12. 对接placement
cat /etc/nova/nova.conf
[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = rootroot13. 初始化数据库
填充 nova-api 数据库:
su -s /bin/sh -c "nova-manage api_db sync" nova注册 cell0 数据库:
su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova创建 cell1 表:
su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova填充 nova 数据库
su -s /bin/sh -c "nova-manage db sync" nova验证 nova cell0 和 cell1 是否正确注册:
su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova14. 启动服务
systemctl enable --now openstack-nova-api.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service2)配置计算节点
在所有计算节点上安装组件,先在计算节点1上进行配置,然后将配置文件 /etc/nova/nova.conf 发送到其它计算节点
01. 安装组件
yum install -y openstack-nova-compute02. 启用计算和元数据 API
cat /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata03. 对接RabbitMQ
cat /etc/nova/nova.conf
[DEFAULT]
transport_url = rabbit://openstack:rootroot@controller04. 对接keystone
cat /etc/nova/nova.conf
[api]
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000/
auth_url = http://controller:5000/
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = rootroot05. 配置my_ip
设置为计算节点上的管理网络接口 IP 地址:cat /etc/nova/nova.conf
[DEFAULT]
my_ip = 192.168.186.15206. 配置VNC代理
vim /etc/nova/nova.conf
[vnc]
enabled = true
server_listen = 0.0.0.0
server_proxyclient_address = $my_ip
novncproxy_base_url = http://controller:6080/vnc_auto.html07. 对接glance
cat /etc/nova/nova.conf
[glance]
api_servers = http://controller:929208. 配置锁路径
cat /etc/nova/nova.conf
[oslo_concurrency]
lock_path = /var/lib/nova/tmp09. 对接placement
cat /etc/nova/nova.conf
[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = rootroot10. 发送配置到其它节点
scp /etc/nova/nova.conf root@compute02:/etc/nova/[root@compute02 ~]# vim /etc/nova/nova.conf
my_ip = 192.168.186.15311. 配置硬件加速
确定您的计算节点是否支持虚拟机的硬件加速:(CPU虚拟化)
egrep -c '(vmx|svm)' /proc/cpuinfo如果此命令返回值 ≥ 1 ,则计算节点支持硬件加速,通常不需要额外配置
如果此命令返回值 0,则您的计算节点不支持硬件加速,您必须配置 libvirt 以使用 QEMU 而不是 KVM:
# vim /etc/nova/nova.conf
[libvirt]
virt_type = qemu12. 启动服务
systemctl enable --now libvirtd.service openstack-nova-compute.service如果 nova-compute 服务无法启动,请检查 /var/log/nova/nova-compute.log
错误消息 AMQP server on controller:5672 is unreachable 可能表示控制器节点上的防火墙阻止访问端口5672。配置防火墙以打开控制器节点上的端口 5672 并重新启动计算节点上的 nova-compute 服务
3)计算节点入库
在控制节点上手动将计算节点添加到 cell 数据库
获取管理员凭据以启用仅限管理员的CLI命令,然后确认数据库中有计算主机:
. admin-openrc
openstack compute service list --service nova-compute验证:
su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova添加新计算节点时,必须在控制器节点上运行 nova-manage cell_v2 discover_hosts 以注册这些新计算节点
或者,您可以设置适当的间隔以使用自动发现:(时间单位:秒)
cat /etc/nova/nova.conf
[scheduler]
discover_hosts_in_cells_interval = 3004)服务验证
在控制节点上验证服务配置及对接情况
. admin-openrc列出服务组件,以验证每个流程是否成功启动和注册:(此输出应显示在控制器节点上启用的两个服务组件和在计算节点上启用的一个服务组件)
openstack compute service list列出 Identity 服务中的 API 终结点以验证与 Identity 服务的连接:(忽略此输出中的任何警告)
openstack catalog list列出镜像服务中的镜像以验证与镜像服务的连接:
openstack image list检查单元格和放置 API 是否成功运行,以及其他必要的先决条件是否到位:
nova-status upgrade check六、部署neutron组件
https://docs.openstack.org/neutron/ussuri/install/
Neutron 组件需在控制节点和计算节点中部署
1)配置控制节点
01. 创建数据库并授权
MariaDB [(none)]> CREATE DATABASE neutron;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'rootroot';
MariaDB [(none)]> exit;02. 创建和配置组件用户
. admin-openrc
openstack user create --domain default --password-prompt neutron
openstack role add --project service --user neutron admin03. 创建服务和发布端点
openstack service create --name neutron --description "OpenStack Networking" networkopenstack endpoint create --region RegionOne network public http://controller:9696
openstack endpoint create --region RegionOne network internal http://controller:9696
openstack endpoint create --region RegionOne network admin http://controller:969604. 安装组件
yum install -y openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables05. 对接数据库
cat /etc/neutron/neutron.conf
[database]
connection = mysql+pymysql://neutron:rootroot@controller/neutron06. 启用ML2、路由和重叠IP
启用模块化第 2 层(ML2)插件、路由器服务和重叠 IP 地址:
cat /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = true07. 对接RabbitMQ
cat /etc/neutron/neutron.conf
[DEFAULT]
transport_url = rabbit://openstack:rootroot@controller08. 对接keystone
cat /etc/neutron/neutron.conf
[DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = rootroot09. 对接Nova
cat /etc/neutron/neutron.conf
[DEFAULT]
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = rootroot10. 配置锁路径
cat /etc/neutron/neutron.conf
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp11. 配置 ML2 插件
配置模块化第 2 层(ML2)插件,ML2 插件使用 Linux 桥接为实例构建第 2 层(桥接和交换)虚拟网络:
cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
#启用平面、VLAN 和 VXLAN 网络
type_drivers = flat,vlan,vxlan
#启用 VXLAN 自助网络
tenant_network_types = vxlan
#启用 Linux 网桥和第二层填充机制
mechanism_drivers = linuxbridge,l2population
#启用端口安全扩展驱动程序
extension_drivers = port_security
[ml2_type_flat]
#将虚拟网络配置为平面网络
flat_networks = provider
#配置VXLAN网络标识范围
vni_ranges = 1:1000
[securitygroup]
#启用ipset以提高安全组规则的效率
enable_ipset = true12. 配置网桥代理
Linux 桥接代理为实例构建第 2 层(桥接和交换)虚拟网络,并处理安全组:
cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
#将虚拟网络映射到提供商物理网络接口
physical_interface_mappings = provider:ens160
[vxlan]
#启用VXLAN覆盖网络
enable_vxlan = true
#配置处理覆盖网络的物理网络接口的IP地址
local_ip = 192.168.186.151
#启用二层填充
l2_population = true
[securitygroup]
#启用安全组
enable_security_group = true
#配置Linux网桥iptables防火墙驱动程序
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver要启用网桥支持,通常需要加载 br_netfilter 内核模块:
yum -y install bridge-utils
modprobe br_netfilter
echo br_netfilter > /etc/modules-load.d/br_netfilter.conf验证以下 sysctl 值是否设置为 1 ,确保 Linux 操作系统内核支持网桥过滤器:
sysctl -a |grep bridge
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 113. 配置三层代理
第 3 层(L3)代理为虚拟网络提供路由和 NAT 服务:
cat /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge14. 配置DHCP代理
为虚拟网络提供 DHCP 服务:cat /etc/neutron/dhcp_agent.ini
[DEFAULT]
#配置Linux网桥接口驱动程序
interface_driver = linuxbridge
#配置Dnsmasq DHCP驱动程序
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
#启用隔离元数据
enable_isolated_metadata = true15. 配置元数据代理
元数据代理向实例提供诸如凭证之类的配置信息:cat /etc/neutron/metadata_agent.ini
[DEFAULT]
#配置元数据主机
nova_metadata_host = controller
#配置共享密钥
metadata_proxy_shared_secret = rootroot16. 配置Nova网络
配置访问参数,启用元数据代理,并配置 secret:cat /etc/nova/nova.conf
[neutron]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = rootroot
service_metadata_proxy = true
#元数据代理共享密钥
metadata_proxy_shared_secret = rootroot17. 完成安装
网络服务初始化脚本需要一个指向 ML2 插件配置文件的符号链接:
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini填充数据库:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron重新启动 Nova API 服务:
systemctl restart openstack-nova-api.service启动网络服务:
systemctl enable --now neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service2)配置计算节点
需要在所有计算节点上进行配置
01. 安装组件
yum install -y openstack-neutron-linuxbridge ebtables ipset02. 取消数据库对接
确认是否在 [database] 中已注释掉所有 connection 选项,因为计算节点不直接访问数据库:
cat /etc/neutron/neutron.conf
[database]03. 对接RabbitMQ
cat /etc/neutron/neutron.conf
[DEFAULT]
transport_url = rabbit://openstack:rootroot@controller04. 对接keystone
cat /etc/neutron/neutron.conf
[DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = rootroot05. 配置锁路径
cat /etc/neutron/neutron.conf
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp06. 配置网桥代理
Linux 桥接代理为实例构建第2层(桥接和交换)虚拟网络,并处理安全组:
cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
#将虚拟网络映射到物理网络接口
physical_interface_mappings = provider:ens160
[vxlan]
#启用VXLAN覆盖网络
enable_vxlan = true
#配置处理覆盖网络的物理网络接口的IP地址
local_ip = 192.168.186.152
#启用二层填充
l2_population = true
[securitygroup]
#启用安全组
enable_security_group = true
#配置Linux网桥iptables防火墙驱动程序
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver要启用网桥支持,通常需要加载 br_netfilter 内核模块:
yum -y install bridge-utils
modprobe br_netfilter
echo br_netfilter > /etc/modules-load.d/br_netfilter.conf验证以下 sysctl 值是否设置为 1 ,确保 Linux 操作系统内核支持网桥过滤器:
sysctl -a |grep bridge
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 107. 配置Nova网络
cat /etc/nova/nova.conf
[neutron]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = rootroot08. 完成安装
systemctl restart openstack-nova-compute.service
systemctl enable --now neutron-linuxbridge-agent.service3)验证操作
在控制节点上列出所有代理:
openstack network agent list输出应显示在控制节点上有四个代理,每个计算节点上有一个代理
七、部署Horizon组件
https://docs.openstack.org/horizon/ussuri/install/
Horizon 组件在控制节点上运行
01. 安装组件
yum install -y openstack-dashboard02. 配置组件
cat /etc/openstack-dashboard/local_settings
在控制节点上使用 OpenStack 服务:
OPENSTACK_HOST = "controller"测试环境,允许所有主机访问 dashboard:
ALLOWED_HOSTS = ['*']对接 Memcached:
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'controller:11211',
}
}启用 Identity API 版本 3:
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST启用对多域的支持:(登录时会让输入登录的域)
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True配置 API 版本:
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 3,
}将 Default 配置为通过仪表板创建的用户的默认域:
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"将 user 配置为通过仪表板创建的用户的默认角色:
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"配置时区:
TIME_ZONE = "Asia/Shanghai"添加以下内容:cat /etc/httpd/conf.d/openstack-dashboard.conf
WSGIApplicationGroup %{GLOBAL}配置访问路径:(以下两个文件都要配置)
cat /usr/share/openstack-dashboard/openstack_dashboard/defaults.py
cat /usr/share/openstack-dashboard/openstack_dashboard/test/settings.py
WEBROOT = '/dashboard'03. 完成安装
systemctl restart httpd.service memcached.service八、访问OpenStack
http://控制节点IP/dashboard,使用超级管理员登录
【END】