Openstack Tarin版超详细部署及使用

大家好，我是讯享网，很高兴认识大家。

Openstack部署

一、环境

1.0、主机及IP规划

主机名	IP地址	操作系统	CPU/内存	角色
controller	192.168.10.128/24 192.168.80.139/24	CentOS 7	2 4GB	控制节点、网络节点
compute01	192.168.10.136/24 192.168.80.154/24	CentOS 7	1 2GB	计算节点
block01	192.168.10.135/24 192.168.80.146/24	CentOS 7	1 2GB	块存储节点

[root@controller ~]# nmcli conn modify ens37 ipv4.addresses 192.168.10.128/24 ipv4.method manual connection.autoconnect yes con-name 'ens37' ifname ens37 [root@controller ~]# nmcli conn up ens37 连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/12） [root@compute01 ~]# nmcli conn modify '有线连接 1' con-name ens37 ifname ens37 ipv4.addresses 192.168.10.154/24 ipv4.method manual connection.autoconnect yes  [root@compute01 ~]# nmcli conn up ens37 连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/14） [root@block01 ~]# nmcli conn modify '有线连接 1' con-name ens37 ifname ens37 ipv4.addresses 192.168.10.135/24 ipv4.method manual connection.autoconnect yes  [root@block01 ~]# nmcli conn up ens37 连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/9）

讯享网

2.0、配置主机解析

讯享网[root@controller ~]# vim /etc/hosts 192.168.10.128 controller 192.168.10.136 compute01 192.168.10.135 block01 [root@controller ~]# scp /etc/hosts 192.168.10.136:/etc/ [root@controller ~]# scp /etc/hosts 192.168.10.135:/etc/

2.1、ping测试

[root@controller ~]# ping compute01 PING compute01 (192.168.10.136) 56(84) bytes of data. 64 bytes from compute01 (192.168.10.136): icmp_seq=1 ttl=64 time=0.179 ms 64 bytes from compute01 (192.168.10.136): icmp_seq=2 ttl=64 time=1.33 ms ^C --- compute01 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1007ms rtt min/avg/max/mdev = 0.179/0.756/1.334/0.578 ms [root@controller ~]# ping block01 PING block01 (192.168.10.135) 56(84) bytes of data. 64 bytes from block01 (192.168.10.135): icmp_seq=1 ttl=64 time=0.233 ms 64 bytes from block01 (192.168.10.135): icmp_seq=2 ttl=64 time=1.58 ms ^C --- block01 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1007ms rtt min/avg/max/mdev = 0.233/0.907/1.581/0.674 ms [root@compute01 ~]# ping block01 PING block01 (192.168.10.135) 56(84) bytes of data. 64 bytes from block01 (192.168.10.135): icmp_seq=1 ttl=64 time=0.334 ms 64 bytes from block01 (192.168.10.135): icmp_seq=2 ttl=64 time=1.72 ms ^C --- block01 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1009ms rtt min/avg/max/mdev = 0.334/1.030/1.726/0.696 ms

3.0、配置时间同步

3.1、安装chrony服务

讯享网$ yum install chrony -y $ systemctl enable chronyd.service $ systemctl start chronyd.service

3.2、放行协议

$ firewall-cmd --add-service=ntp $ firewall-cmd --add-service=ntp --permanent $ firewall-cmd --reload

3.3、时间服务器

讯享网[root@controller ~]# vim /etc/chrony.conf  allow 192.168.10.0/24 # 允许同步的网段 [root@controller ~]# systemctl restart chronyd

3.4、同步时间服务器

$ vim /etc/chrony.conf #server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst server controller iburst $ systemctl restart chronyd $ chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* controller 4 6 17 2 +11us[ +279us] +/- 98ms

4.0、安装Openstack客户端

讯享网$ yum upgrade -y # 更新服务 $ yum install centos-release-openstack-train -y # 安装train源 $ yum install python-openstackclient -y # 安装客户端 $ yum install openstack-selinux -y # 自动管理SELinux安全策略

5.0、安装Mariadb服务

5.1、安装配置服务

[root@controller ~]# yum install mariadb mariadb-server python2-PyMySQL -y [root@controller ~]# vim /etc/my.cnf.d/openstack.cnf [mysqld] bind-address = 192.168.10.128 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 [root@controller ~]# systemctl enable mariadb [root@controller ~]# systemctl start mariadb

5.2、初始化数据库

讯享网[root@controller ~]# mysql_secure_installation  NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!

6.0、安装消息队列服务（Message queue）

OpenStack使用消息队列来协调服务之间的操作和状态信息。消息队列服务通常在控制器节点上运行。OpenStack支持多种消息队列服务，包括RabbitMQ， Qpid和ZeroMQ。但是，大多数打包的OpenStack发行版都支持特定的消息队列服务。本指南使用RabbitMQ消息队列服务，因为大多数发行版都支持它。

6.1、安装启动服务

[root@controller ~]# yum install rabbitmq-server -y [root@controller ~]# systemctl start rabbitmq-server.service

6.2、添加openstack用户及权限

讯享网[root@controller ~]# rabbitmqctl remove_user openstack Com. Creating user "openstack" [root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/"

6.3、查看rabbitmq端口

[root@controller ~]# netstat -antp | grep 5672 tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 56152/beam tcp6 0 0 :::5672 :::* LISTEN 56152/beam

7.0、Memcached服务

身份认证服务认证机制使用memcached缓存令牌。memcached服务通常运行在控制器节点。生产环境部署，建议启用防火墙，身份验证和加密的组合以保护其安全。

7.1、安装软件包

讯享网[root@controller ~]# yum install memcached python-memcached -y

7.2、配置Memcached

[root@controller ~]# vim /etc/sysconfig/memcached  PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1,192.168.10.128" # 配置服务使用管理网络IP [root@controller ~]# systemctl enable memcached [root@controller ~]# systemctl start memcached

8.0、安装Etcd服务

OpenStack服务可以使用Etcd，Etcd是一种分布式可靠的键值存储，用于分布式锁、存储配置、跟踪服务实时性和其他场景。

8.1、安装软件

讯享网[root@controller ~]# yum install etcd -y

8.2、配置Etcd

[root@controller ~]# vim /etc/etcd/etcd.conf  #[Member] #ETCD_CORS="" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ... ETCD_LISTEN_PEER_URLS="http://192.168.10.128:2380" ETCD_LISTEN_CLIENT_URLS="http://192.168.10.128:2379" ... ETCD_NAME="controller" ... ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.10.128:2380" ETCD_ADVERTISE_CLIENT_URLS="http://192.168.10.128:2379" ... ETCD_INITIAL_CLUSTER="controller=http://192.168.10.128:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01" ETCD_INITIAL_CLUSTER_STATE="new"

8.3、重启服务

讯享网[root@controller ~]# systemctl enable etcd [root@controller ~]# systemctl restart etcd

二、部署Openstack

服务器部署

讯享网

1.0、Identity service – keystone

OpenStack认证管理服务提供一个单点集成身份验证、授权和服务目录服务。

1.1、创建Keystone数据库

MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.000 sec) MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'Com.'; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'Com.'; Query OK, 0 rows affected (0.000 sec)

1.2、安装程序

讯享网[root@controller ~]# yum install openstack-keystone mod_wsgi -y

1.3、配置Keystone

[root@controller ~]# vim /etc/keystone/keystone.conf  [database] connection = mysql+pymysql://keystone:[email protected]/keystone [token] provider = fernet

1.4、初始化数据库

要以keystone身份执行

讯享网[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

1.5、初始化fernet生成令牌

[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

1.6、自举引导身份验证服务

讯享网[root@controller ~]# keystone-manage bootstrap --bootstrap-password Com. \ > --bootstrap-admin-url http://controller:5000/v3/ \ > --bootstrap-internal-url http://controller:5000/v3/ \ > --bootstrap-public-url http://controller:5000/v3/ \ > --bootstrap-region-id RegionOne

1.7、配置Apache服务

[root@controller ~]# vim /etc/httpd/conf/httpd.conf ServerName controller [root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ [root@controller ~]# systemctl enable httpd.service [root@controller ~]# systemctl start httpd.service

1.8、配置管理员账号令牌

讯享网[root@controller ~]# vim admin_keystone export OS_USERNAME=admin export OS_PASSWORD=Com. export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3

1.9、执行管理员令牌

[root@controller ~]# source admin_keystone

1.10、验证操作

1.10.1、取消管理员身份

讯享网[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD

1.10.2、用户身份请求admin令牌

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name admin --os-username admin token issue Password: # Com. Password: # Com. +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2021-05-02T07:38:52+0000 | | id | gAAAAABgjkj81ZdBAl_WyCWzO-8XqzsJO9Qzx6LCvCV9jZDn7-yr3PufHv0Q0Ue-sYIhFTWuKXR4kh32v6kXbXfsTidaAxf09nnSpDCc1qDHr2CgiA4EGleEnmRAK95K1vZeU9lgglh4TDMpT3js8LYcFMcpyP6ySe4shVeLpJvxBVe1R8ACo | | project_id | 32d26bea250d4bee96dc46c3adccb304 | | user_id | 6d6c7f8f3c8a47f8becf5dae64 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

1.10.3、执行管理员令牌

讯享网[root@controller ~]# source admin_keystone

1.10.4、请求admin令牌

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2021-05-02T07:43:18+0000 | | id | gAAAAABgjkoG23IdyBs3UlCVTtPpjkk555Qq5hlXKvVEcKLVGawYnYHZP2ujbcbyDtCqUYTeDzXs6Z4oJQwvvNnTaVu62SDlPKTYflTvCFCsrGg9q09fMqBf4TXscv3Waj8IcFJPskaYJ0-f6pTxiH0vV1ctuGMSVEZW6n0Rq84xBycfyifeVjQ | | project_id | 32d26bea250d4bee96dc46c3adccb304 | | user_id | 6d6c7f8f3c8a47f8becf5dae64 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

2.0、Image service – glance

openstack是构建基本的Iaas平台对外提供虚拟机，而虚拟机在创建时必须为选择需要安装的操作系统，glance服务就是为该选择提供不同的操作系统镜像。

glance服务使用户能够发现，注册，检索虚拟机的镜像，它提供一个能够查询虚拟机镜像元数据和检索真实镜像的REST API。

2.1、前期准备

2.1.1、创建所需数据库

讯享网MariaDB [(none)]> create database glance; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'Com.'; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'Com.'; Query OK, 0 rows affected (0.000 sec)

2.1.2、切换admin身份

[root@controller ~]# . admin_keystone

2.1.3、创建glance用户

讯享网[root@controller ~]# openstack user create --domain default --password-prompt glance User Password: # Com. Repeat User Password: # Com. +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | b7c57643ad2edcd68a4dd1d | | name | glance | | options | { 
   } | | password_expires_at | None | +---------------------+----------------------------------+

2.1.4、创建项目

[root@controller ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 0b55f0876d1349eb76356aa | | is_domain | False | | name | service | | options | { 
   } | | parent_id | default | | tags | [] | +-------------+----------------------------------+ [root@controller ~]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 0b55f0876d1349eb76356aa | service | | 32d26bea250d4bee96dc46c3adccb304 | admin | +----------------------------------+---------+

2.1.5、向用户项目添加角色

讯享网[root@controller ~]# openstack role add --project service --user glance admin # 没有输出

2.1.6、创建服务（glance）

[root@controller ~]# openstack service create --name glance \ > --description "OpenStack Image" image +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Image | | enabled | True | | id | d2d430cb2eab4d4b9015c1460a1a600a | | name | glance | | type | image | +-------------+----------------------------------+ [root@controller ~]# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | 3e76d943fb2548ef8ebc9d9cbf | keystone | identity | | d2d430cb2eab4d4b9015c1460a1a600a | glance | image | +----------------------------------+----------+----------+

2.1.7、创建图像API端口

讯享网[root@controller ~]# openstack endpoint create --region RegionOne \ > image public http://controller:9292 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 83c08e6fd59948ef89c1f306e3930c77 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | d2d430cb2eab4d4b9015c1460a1a600a | | service_name | glance | | service_type | image | | url | http://controller:9292 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ > image internal http://controller:9292 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | acbdb9dcd42adeee5a721a4 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | d2d430cb2eab4d4b9015c1460a1a600a | | service_name | glance | | service_type | image | | url | http://controller:9292 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ > image admin http://controller:9292 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id