OpenStack安装全过程
1 OpenStack 介绍
OpenStack 是一个由 NASA ( 美国国家航空航天局)和 Rackspace 合作研发并发起的,以 Apache许可证授权的*软件和开放源代码项目。
1.1 Openstack的版本:
1.2 openstack架构概念:
1.3 openstack各个服务器名称对应:
建议在物理机上部署openstack,并且是centos7或ubuntu系统下,centos6x的源里已不支持openstack部分组件下载了,我此次用centos7.2上安装的。
2 环境准备
node1 即作为控制节点,也作为计算节点;(即可以单机部署,单机部署时则下面记录的控制节点和计算节点的操作步骤都要在本机执行下)
node2 就只是计算节点
控制节点去操控计算节点,计算节点上可以创建虚拟机
linux-node1.openstack 192.168.1.17 网卡 NAT em2 (外网ip假设是58.68.250.17)(em2是内网网卡,下面neutron配置文件里会设置到)
linux-node2.openstack 192.168.1.8 网卡 NAT em2
2.域名解析和关闭防火墙 (控制节点和计算节点都做)
/etc/hosts #主机名一开始设置好,后面就不能更改了,否则就会出问题!这里设置好ip与主机名的对应关系
192.168.1.17 linux-node1.openstack
192.168.1.8 linux-node2.openstack
关闭 selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
setenforce 0
关闭 iptables
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
3 安装配置 OpenStack
官方文档 http://docs.openstack.org/
3.1 安装软件包
linux-node1.openstack 安装
Baseyum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
yum install -y centos-release-openstack-liberty
yum install -y python-openstackclient
##MySQL
yum install -y mariadb mariadb-server MySQL-python
##RabbitMQ
yum install -y rabbitmq-server
##Keystone
yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
##Glance
yum install -y openstack-glance python-glance python-glanceclient
##Nova
yum install -y openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient
##Neutron linux-node1.example.com
yum install -y openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge python-neutronclient ebtables ipset
##Dashboard
yum install -y openstack-dashboard
##Cinder
yum install -y openstack-cinder python-cinderclient
linux-node2.openstack 安装
##Base
yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
yum install centos-release-openstack-liberty
yum install python-openstackclient
##Nova linux-node2.openstack
yum install -y openstack-nova-compute sysfsutils
##Neutron linux-node2.openstack
yum install -y openstack-neutron openstack-neutron-linuxbridge ebtables ipset
##Cinder
yum install -y openstack-cinder python-cinderclient targetcli python-oslo-policy
3.2 设置时间同步、 关闭 selinux 和 iptables
在 linux-node1 上配置( 只有 centos7 能用, 6 还用 ntp)
[[email protected] ~]# yum install -y chrony
[[email protected] ~]# vim /etc/chrony.conf
allow 192.168/16 #允许那些服务器和自己同步时间
[[email protected] ~]# systemctl enable chronyd.service #开机启动
[[email protected] ~]# systemctl start chronyd.service
[[email protected] ~]# timedatectl set-timezone Asia/Shanghai
#设置时区
[[email protected] ~]# timedatectl status
Local time: Fri 2016-08-26 11:14:19 CST
Universal time: Fri 2016-08-26 03:14:19 UTC
RTC time: Fri 2016-08-26 03:14:19
Time zone: Asia/Shanghai (CST, +0800)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
在 linux-node2 上配置
[[email protected] ~]# yum install -y chrony
[[email protected] ~]# vim /etc/chrony.conf
server 192.168.1.17 iburst #只留一行
[[email protected] ~]# systemctl enable chronyd.service
[[email protected] ~]# systemctl start chronyd.service
[[email protected] ~]# timedatectl set-timezone Asia/Shanghai
[[email protected] ~]# chronyc sources
3.3 安装及配置 mysql
[[email protected] ~]# cp /usr/share/mysql/my-medium.cnf /etc/my.cnf #或者是/usr/share/mariadb/my-medium.cnf
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
[[email protected] ~]# systemctl enable mariadb.service #Centos7里面mysql叫maridb
[[email protected] ~]# ln -s '/usr/lib/systemd/system/mariadb.service' '/etc/systemd/system/multi-user.target.wants/mariadb.service'
[[email protected] ~]# mysql_install_db --datadir="/var/lib/mysql" --user="mysql" #初始化数据库
[[email protected] ~]# systemctl start mariadb.service
[[email protected] ~]# mysql_secure_installation #设置密码及初始化
密码 123456,一路 y 回车
创建数据库
[[email protected] ~]# mysql -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5579
Server version: 5.5.50-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
MariaDB [(none)]> CREATE DATABASE glance;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
MariaDB [(none)]> CREATE DATABASE nova;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';
MariaDB [(none)]> CREATE DATABASE neutron;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
MariaDB [(none)]> CREATE DATABASE cinder;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> show databases;
参考另一篇博客:http://www.cnblogs.com/kevingrace/p/5811167.html
修改下mysql的连接数,否则openstack后面的操作会报错:“ERROR 1040 (08004): Too many connections ”
3.4 配置 rabbitmq
MQ 全称为 Message Queue, 消息队列( MQ)是一种应用程序对应用程序的通信方法。应用
程序通过读写出入队列的消息(针对应用程序的数据)来通信,而无需专用连接来链接它们。
消 息传递指的是程序之间通过在消息中发送数据进行通信,而不是通过直接调用彼此来通
信,直接调用通常是用于诸如远程过程调用的技术。排队指的是应用程序通过 队列来通信。
队列的使用除去了接收和发送应用程序同时执行的要求。
RabbitMQ 是一个在 AMQP 基础上完整的,可复用的企业消息系统。他遵循 Mozilla Public
License 开源协议。
启动 rabbitmq, 端口 5672,添加 openstack 用户
[[email protected] ~]# systemctl enable rabbitmq-server.service
[[email protected] ~]# ln -s '/usr/lib/systemd/system/rabbitmq-server.service' '/etc/systemd/system/multi-user.target.wants/rabbitmq-server.service'
[[email protected] ~]# systemctl start rabbitmq-server.service
[[email protected] ~]# rabbitmqctl add_user openstack openstack #添加用户及密码
[[email protected] ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" #允许配置、写、读访问 openstack
[[email protected] ~]# rabbitmq-plugins list
#查看支持的插件
.........
[ ] rabbitmq_management 3.6.2 #使用此插件实现 web 管理
.........
[[email protected] ~]# rabbitmq-plugins enable rabbitmq_management #启动插件
The following plugins have been enabled:
mochiweb
webmachine
rabbitmq_web_dispatch
amqp_client
rabbitmq_management_agent
rabbitmq_management
Plugin configuration has changed. Restart RabbitMQ for changes to take effect.
[[email protected] ~]# systemctl restart rabbitmq-server.service
[[email protected] ~]#lsof -i:15672
访问RabbitMQ,访问地址是http://58.68.250.17:15672
默认用户名密码都是guest,浏览器添加openstack用户到组并登陆测试,连不上情况一般是防火墙没有关闭所致!
之后退出使用 openstack 登录
如何使用 zabbix 监控?
左下角有 HTTP API 的介绍,可以实现 zabbix 的监控
以上完成基础环境的配置,下面开始安装 openstack 的组件
3.5 配置 Keystone 验证服务
所有的服务,都需要在 keystone 上注册
3.5.1 Keystone 介绍
3.5.2 配置 Keystone
端口 5000 和 35357
取一个随机数
[[email protected] ~]# openssl rand -hex 10
35d6e6f377a889571bcf
[[email protected] ~]# cat /etc/keystone/keystone.conf|grep -v "^#"|grep -v "^$"
[DEFAULT]
admin_token = 35d6e6f377a889571bcf #设置 token,和上面产生的随机数值一致
verbose = true
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql://keystone:[email protected]/keystone #设置数据库连接 写到database下
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
servers = 192.168.1.17:11211
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_qpid]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
driver = sql
[role]
[saml]
[signing]
[ssl]
[token]
provider = uuid
driver = memcache
[tokenless_auth]
[trust]
2、 创建数据库表, 使用命令同步
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
No handlers could be found for logger "oslo_config.cfg" #出现这个信息,不影响后续操作!忽略~
[[email protected] ~]# ll /var/log/keystone/keystone.log
-rw-r--r--. 1 keystone keystone 298370 Aug 26 11:36 /var/log/keystone/keystone.log #之所以上面 su 切换是因为这个日志文件属主
[[email protected] config]# mysql -h 192.168.1.17 -u keystone -p #数据库检查表,生产环境密码不要用keystone,改成复杂点的密码
3、 启动 memcached 和 apache
启动 memcached
[[email protected] ~]# systemctl enable memcached
[[email protected] ~]#ln -s '/usr/lib/systemd/system/memcached.service' '/etc/systemd/system/multi-user.target.wants/memcached.service'
[[email protected] ~]# systemctl start memcached
配置 httpd
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
ServerName 192.168.1.17:80
[[email protected] ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
启动 httpd
[[email protected] config]# systemctl enable httpd
[[email protected] config]#ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[[email protected] config]# systemctl start httpd
[[email protected] ~]# netstat -lntup|grep httpd
tcp6 0 0 :::5000 :::* LISTEN 23632/httpd
tcp6 0 0 :::80 :::* LISTEN 23632/httpd
tcp6 0 0 :::35357 :::* LISTEN 23632/httpd
如果 http 起不来关闭 selinux 或者安装 yum install openstack-selinux
4、 创建 keystone 用户
临时设置 admin_token 用户的环境变量,用来创建用户
[[email protected] ~]# export OS_TOKEN=35d6e6f377a889571bcf #上面产生的随机数值
[[email protected] ~]# export OS_URL=http://192.168.1.17:35357/v3
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
创建 admin 项目---创建 admin 用户(密码 admin,生产不要这么玩) ---创建 admin 角色---把 admin 用户加入到 admin 项目赋予 admin 的角色(三个 admin 的位置:项目,用户,角色)
[[email protected] ~]#openstack project create --domain default --description "Admin Project" admin
[[email protected] ~]#openstack user create --domain default --password-prompt admin
[[email protected] ~]#openstack role create admin
[[email protected] ~]#openstack role add --project admin --user admin admin
创建一个普通用户 demo
[[email protected] ~]#openstack project create --domain default --description "Demo Project" demo
[[email protected] ~]#openstack user create --domain default --password=demo demo
[[email protected] ~]#openstack role create user
[[email protected] ~]#openstack role add --project demo --user demo user
创建 service 项目,用来管理其他服务用
[[email protected] ~]#openstack project create --domain default --description "Service Project" service
以上的名字都是固定的,不能改
查看创建的而用户和项目[[email protected] ~]# openstack user list
| ID | Name |
+----------------------------------+-------+
| b1f164577a2d43b9a6393527f38e3f75 | demo |
| b694d8f0b70b41d883665f9524c77766 | admin |
+----------------------------------+-------+
[[email protected] ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 604f9f78853847ac9ea3c31f2c7f677d | demo |
| 777f4f0108b1476eabc11e00dccaea9f | admin |
| aa087f62f1d44676834d43d0d902d473 | service |
+----------------------------------+---------+
5、注册 keystone 服务,以下三种类型分别为公共的、内部的、管理的。
[[email protected] ~]#openstack service create --name keystone --description "OpenStack Identity" identity
[[email protected] ~]#openstack endpoint create --region RegionOne identity public http://192.168.1.17:5000/v2.0
[[email protected] ~]#openstack endpoint create --region RegionOne identity internal http://192.168.1.17:5000/v2.0
[[email protected] ~]#openstack endpoint create --region RegionOne identity admin http://192.168.1.17:35357/v2.0
[[email protected] ~]# openstack endpoint list #查看
+----------------------------------+-----------+--------------+--------------+---------+----
-------+---------------------------------+
| ID | Region | Service Name | Service Type | Enabled |
Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+----
-------+---------------------------------+
| 011a24def8664506985815e0ed2f8fa5 | RegionOne | keystone | identity | True |
internal | http://192.168.1.17:5000/v2.0 |
| b0981cae6a8c4b3186edef818733fec6 | RegionOne | keystone | identity | True | public
| http://192.168.1.17:5000/v2.0 |
| c4e0c79c0a8142eda4d9653064563991 | RegionOne | keystone | identity | True | admin
| http://192.168.1.17:35357/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+----
-------+---------------------------------+
[[email protected] ~]# openstack endpoint delete ID #使用这个命令删除6、 验证,获取 token,只有获取到才能说明 keystone 配置成功
[[email protected] ~]# unset OS_TOKEN
[[email protected] ~]# unset OS_URL
[[email protected] ~]# openstack --os-auth-url http://192.168.1.17:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue #回车
Password: admin
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-12-17T04:22:00.600668Z |
| id | 1b530a078b874438aadb77af11ce297e |
| project_id | 777f4f0108b1476eabc11e00dccaea9f |
| user_id | b694d8f0b70b41d883665f9524c77766 |
+------------+----------------------------------+
使用环境变量来获取 token,环境变量在后面创建虚拟机时也需要用。
创建两个环境变量文件,使用时直接 source!!!(注意,下面两个sh文件所在的路径,在查看命令前都要source下,不然会报错!!)
[[email protected] ~]# cat admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.1.17:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.1.17:5000/v3
export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# source admin-openrc.sh
[[email protected] ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-12-17T04:26:08.625399Z |
| id | 58370ae3b9bb4c07a67700dd184ad3b1 |
16
| project_id | 777f4f0108b1476eabc11e00dccaea9f |
| user_id | b694d8f0b70b41d883665f9524c77766 |