一步一步部署openstack-ocata版本
2019-07-18 本文已影响0人
zwb_jianshu
一、创建两台虚拟机(两台)(开启虚拟化)
10.0.0.11 controller 内存:4G
10.0.0.31 computer1 内存:1G
二、配置hosts文件(两台)
cat >/etc/hosts<<EOF
10.0.0.11 controller
10.0.0.31 computer1
EOF
二、配置过程:(两台)
cd /opt/
上传 openstack_ocata_rpm.tar.gz
tar xf openstack_ocata_rpm.tar.gz
配置yum源:
cd /etc/yum.repos.d/
mv *.repo /tmp
mv /tmp/CentOS-Base.repo .
vi openstack.repo
[openstack]
name=openstack
baseurl=file:///opt/repo
enable=1
gpgcheck=0
验证:
yum clean all
yum install python-openstackclient -y
三、SQL数据库(controller)
1.安装软件包:
# yum install mariadb mariadb-server python2-PyMySQL
2.创建并编辑 /etc/my.cnf.d/openstack.cnf,然后完成如下动作:
在[mysqld]中,设置“bind-address”值为控制节点的管理网络IP地址以是的其他节点可以通过管理网络访问访问数据库。设置其他关键字来设置一些有用的选项和UTF-8编码:
vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 10.0.0.11
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
## 完成安装
1.启动数据库服务,并将其配置为开机自启:
# systemctl enable mariadb.service
# systemctl start mariadb.service
2.安全初始化
# mysql_secure_installation
[root@controller ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] n
... skipping.
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
五、消息队列(controller)
1.安装包:
# yum install rabbitmq-server
2.启动消息队列服务并将其配置为随系统启动:
# systemctl enable rabbitmq-server.service
# systemctl start rabbitmq-server.service
3.添加 openstack 用户:用合适的密码替换 RABBIT_DBPASS。
# rabbitmqctl add_user openstack RABBIT_PASS
Creating user "openstack" ...
4.给``openstack``用户配置写和读权限:
# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...
六、Memcached(controller)
1.安装软件包:
# yum install memcached python-memcached
2.配置文件
vim /etc/sysconfig/memcached
OPTIONS="-l 127.0.0.1,::1,controller"
## 完成安装
3.启动Memcached服务,并且配置它随机启动。
# systemctl enable memcached.service
# systemctl start memcached.service
七、认证服务(keystone)
1.Identity service overview
服务器
一个中心化的服务器使用RESTful 接口来提供认证和授权服务。
Drivers
驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息, 并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。
Modules
中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。
2.安装和配置
先决条件:
一、用数据库连接客户端以 root 用户连接到数据库服务器:
mysql -u root -p
二、创建 keystone 数据库:
MariaDB [(none)]> CREATE DATABASE keystone;
三、对``keystone``数据库授予恰当的权限:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
用合适的密码替换 KEYSTONE_DBPASS 。
四、退出数据库客户端。
八、安全并配置组件
1. 运行以下命令来安装包。
yum install openstack-keystone httpd mod_wsgi
2. 编辑文件 `/etc/keystone/keystone.conf` 并完成如下动作:
在 `[database]` 部分,配置数据库访问:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
将``KEYSTONE_DBPASS``替换为你为数据库选择的密码。
注解
注释或删除``[database]``部分除``connection`以外的所有内容
在``[token]``部分,配置Fernet UUID令牌的提供者。
[token]
# ...
provider = fernet
3. 初始化身份认证服务的数据库:
su -s /bin/sh -c "keystone-manage db_sync" keystone
4. 初始化Fernet key:
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5. Bootstrap the Identity service:
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
Replace `ADMIN_PASS` with a suitable password for an administrative user.
九、配置 Apache HTTP 服务器
1. 编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:
ServerName controller
2. 创建一个链接到``/usr/share/keystone/wsgi-keystone.conf``文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
完成安装
1. 启动 Apache HTTP 服务并配置其随系统启动:
systemctl enable httpd.service
systemctl start httpd.service
2. 配置admin账户
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# vim .bashrc
[root@controller ~]# . .bashrc
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0d76ef773ac549169765628a9a235d64 | service |
| b57ddfd155d344659a32fa6266ad44e3 | admin |
+----------------------------------+---------+
十、创建域、项目、用户和角色
1.本指南使用一个你添加到你的环境中每个服务包含独有用户的service 项目。创建``service``项目:
openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
2.常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户。
创建``demo`` 项目:
openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
3.创建``demo`` 用户:
openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
4.创建 user 角色:
openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
5.Add the user role to the demo user of the demo project:
openstack role add --project demo --user demo user
十一、验证操作
1.因为安全性的原因,关闭临时认证令牌机制:
编辑 /etc/keystone/keystone-paste.ini 文件,从``[pipeline:public_api]``,[pipeline:admin_api]``和``[pipeline:api_v3]``部分删除``admin_token_auth 。
2.撤销临时环境变量``OS_AUTH_URL``和``OS_PASSWORD``
unset OS_AUTH_URL OS_PASSWORD
3.作为 admin 用户,请求认证令牌:
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
4.作为``demo`` 用户,请求认证令牌:
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
十二、创建 OpenStack 客户端环境脚本
一、创建脚本:
创建 `admin` 和 [``](https://docs.openstack.org/ocata/zh_CN/install-guide-rdo/keystone-openrc.html#id1)demo``项目和用户创建客户端环境变量脚本。本指南的接下来的部分会引用这些脚本,为客户端操作加载合适的的凭证。
1. Create and edit the `admin-openrc` file and add the following content:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
将 `ADMIN_PASS` 替换为你在认证服务中为 `admin` 用户选择的密码。
2. Create and edit the `demo-openrc` file and add the following content:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
将 `DEMO_PASS` 替换为你在认证服务中为 `demo` 用户选择的密码。
二、使用脚本
使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如:
1. 加载``admin-openrc``文件来身份认证服务的环境变量位置和``admin``项目和用户证书:
. admin-openrc
2. 请求认证令牌:
openstack token issue
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+