一、部署环境:
两台centos7, 内存2G
控制计算节点:
Hostname1: ip:172.22.0.218
计算节点及存储节点
Hostname2: ip:172.22.0.209
二、管理节点环境准备
1、安装时间同步并配置
[root@linux-node1 ~]#yum install -y chrony [root@linux-node1 ~]# vi /etc/chrony.conf # Allow NTP client access from local network. #allow 192.168.0.0/16 allow 172.22.0.0/24
2、启动时间同步
[root@linux-node1 ~]# systemctl enable chronyd.service [root@linux-node1 ~]# systemctl start chronyd.service [root@linux-node1 ~]# timedatectl set-timezone Asia/Shanghai
3、安装openstack-newton版本
[root@linux-node1 ~]#•yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm -y [root@linux-node1 ~]# yum install centos-release-openstack-newton -y [root@linux-node1 ~]# yum install python-openstackclient -y
4、安装mysql
[root@linux-node1 ~]# yum install mariadb mariadb-server MySQL-python -y [root@linux-node1 /]# cp /usr/share/mariadb/my-medium.cnf /etc/my.cnf [root@linux-node1 /]# vim /etc/my.cnf [mysqld] default-storage-engine = innodb innodb_file_per_table collation-server = utf8_general_ci init-connect = 'SET NAMES utf8' character-set-server = utf8 [root@linux-node1 /]# systemctl enable mariadb.service #设置开机自动启动 [root@linux-node1 /]# systemctl start mariadb.service #启动mysql [root@linux-node1 /]# mysql_secure_installation #设置密码 [root@linux-node1 /]# mysql -u root -p #登录数据库
5、创建各个组件的数据库:
CREATE DATABASE keystone; #服务注册中心 GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance'; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance'; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE nova_api; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY ' nova '; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY ' nova'; CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron'; CREATE DATABASE cinder; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder'; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
6、Rabbitmq消息队列安装
[root@linux-node1 /]# yum install rabbitmq-server -y [root@linux-node1 /]# systemctl enable rabbitmq-server.service #开机启动rabbitmq [root@linux-node1 /]# systemctl start rabbitmq-server.service #启动rabbitmq 监听端口:5672 netstat -nplt [root@linux-node1 /]# rabbitmqctl add_user openstack openstack #创建用户openstack密码是openstack [root@linux-node1 /]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" #授权
7、查看支持插件启动web管理插件端口是25672和15672
[root@localhost ~]# rabbitmq-plugins list #查看支持插件 Configured: E = explicitly enabled; e = implicitly enabled | Status: * = running on rabbit@localhost |/ [e*] amqp_client 3.6.5 [ ] cowboy 1.0.3 [ ] cowlib 1.0.1 [e*] mochiweb 2.13.1 [ ] rabbitmq_amqp1_0 3.6.5 [ ] rabbitmq_auth_backend_ldap 3.6.5 [ ] rabbitmq_auth_mechanism_ssl 3.6.5 [ ] rabbitmq_consistent_hash_exchange 3.6.5 [ ] rabbitmq_event_exchange 3.6.5 [ ] rabbitmq_federation 3.6.5 [ ] rabbitmq_federation_management 3.6.5 [ ] rabbitmq_jms_topic_exchange 3.6.5 [E*] rabbitmq_management 3.6.5 [e*] rabbitmq_management_agent 3.6.5 [ ] rabbitmq_management_visualiser 3.6.5 [ ] rabbitmq_mqtt 3.6.5 [ ] rabbitmq_recent_history_exchange 1.2.1 [ ] rabbitmq_sharding 0.1.0 [ ] rabbitmq_shovel 3.6.5 [ ] rabbitmq_shovel_management 3.6.5 [ ] rabbitmq_stomp 3.6.5 [ ] rabbitmq_top 3.6.5 [ ] rabbitmq_tracing 3.6.5 [ ] rabbitmq_trust_store 3.6.5 [e*] rabbitmq_web_dispatch 3.6.5 [ ] rabbitmq_web_stomp 3.6.5 [ ] rabbitmq_web_stomp_examples 3.6.5 [ ] sockjs 0.3.4 [e*] webmachine 1.10.3 [root@localhost ~]# rabbitmq-plugins enable rabbitmq_management #启动web管理插件端口是25672和15672
[root@localhost ~]# systemctl restart rabbitmq-server.service #启动rabbitmq
登录验证rabbitmq:
登录web界面使用自带的用户guest密码guest
授权OpenStack可以登录在Admin组件上配置
点击OpenStack将Tagsp配置为administrator
完成后状态:
现在可用openstack用户登录rabbitmq了:
三、Keystone部署(用户验证与服务目录,包含所有服务项与相关Api的端点):
keystone包含:user(用户);tenant(租户、项目);token(令牌);role(角色);service(服务);endpoint(端点)
1、安装OpenStack
[root@linux-node1 ~]# yum install openstack-keystone httpd mod_wsgi memcached python-memcached -y
备注: memcache为存储keystone用户认证信息,python-memcached为连接memcache
[root@linux-node1 opt]# openssl rand -hex 10 #生产随机码用户admin_token
e603318ad06187e6239c
2、编辑keystone配置文件:
root@localhost ~]# vi /etc/keystone/keystone.conf [default] verbose = true #开启debug admin_token = e603318ad06187e6239c [database] connection = mysql://keystone:keystone@172.22.0.218/keystone #用作链接数据库,三个keysthone分别为keystone组件,keystone用户名,mysql中的keysthone库名 [memcache] servers = 172.22.0.218:11211 [token] provider = uuid driver = memcache [revoke] driver = sql [root@localhost keystone]# grep '^[a-z]' /etc/keystone/keystone.conf admin_token = e603318ad06187e6239c connection = mysql://keystone:keystone@172.22.0.218/keystone servers = 172.22.0.218:11211 driver = sql provider = uuid driver = memcache
3、同步数据库及检查数据库:
[root@localhost ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone #同步数据库
[root@localhost ~]#mysql -uroot -pP@ssw0rd #登录到数据库检查数据
MariaDB [keystone]> show tables #查看表是否建立token -> ; +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+ 37 rows in set (0.01 sec)
[root@localhost ~]# systemctl start memcached.service #启动memcache
4、添加一个apache的wsgi-keystone配置文件,其中5000端口是提供该服务的,35357是为admin提供管理用的
[root@localhost ~]# vi /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost>
5、修改Apache配置
ServerName 172.22.0.218:80
6、启动Apache及检查服务:
[root@localhost ~]# systemctl start httpd.service [root@localhost ~]# systemctl enable httpd.service [root@localhost ~]# netstat -ntlp | grep httpd #检查 tcp6 0 0 :::80 :::* LISTEN 6381/httpd tcp6 0 0 :::35357 :::* LISTEN 6381/httpd tcp6 0 0 :::5000 :::* LISTEN 6381/httpd
7、设置环境变量及创建项目(project):
创建用户并连接keystone,在这里可以使用两种方式,通过keystone –help后家参数的方式,或者使用环境变量env的方式,下面就将使用环境变量的方式,分别设置了token,API及控制版本(SOA种很适用)
[root@linux-node1~]# export OS_TOKEN=e603318ad06187e6239c
[root@llinux-node1 ~]# export OS_URL=http://172.22.0.218:35357/v3
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3
创建admin项目(project)
[root@linux-node1 ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 75d20be284604d22aa6339f4a92092ad | | name | default | +-------------+----------------------------------+ [root@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 75d20be284604d22aa6339f4a92092ad | | enabled | True | | id | 7c0763e1b8a84e628eca4603e8170e31 | | is_domain | False | | name | admin | | parent_id | 75d20be284604d22aa6339f4a92092ad | +-------------+----------------------------------+
创建admin用户(user)并设置密码(生产环境一定设置一个复杂的)
[root@linux-node1 ~]# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 75d20be284604d22aa6339f4a92092ad | | enabled | True | | id | b157751bed2a49fba654b8aca651d6e2 | | name | admin | | password_expires_at | None | +---------------------+----------------------------------+
创建admin的角色(role)
[root@linux-node1 ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | f9d64dd56e924013a5625079afb90bd1 | | name | admin | +-----------+----------------------------------+
把admin用户加到admin项目,赋予admin角色,把角色,项目,用户关联起来
[root@localhost ~]# openstack role add --project admin --user admin admin
创建一个普通用户demo,demo项目,角色为普通用户(uesr),并把它们关联起来
[root@linux-node1 ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 75d20be284604d22aa6339f4a92092ad | | enabled | True | | id | 0eb713b710f74dddae9c05da5b851813 | | is_domain | False | | name | demo | | parent_id | 75d20be284604d22aa6339f4a92092ad | +-------------+----------------------------------+ [root@linux-node1 keystone]# openstack user create --domain default --password=demo demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 75d20be284604d22aa6339f4a92092ad | | enabled | True | | id | 2c317424791d40409b9563a6be84eb87 | | name | demo | | password_expires_at | None | +---------------------+----------------------------------+ [root@linux-node1 ~]# openstack role create user [root@linux-node1 ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 81a9712d39cf43c083b1dac1d791220b | | name | user | +-----------+----------------------------------+ [root@localhost ~]# openstack role add --project demo --user demo user #加入user角色
创建一个service的项目,此服务用来管理nova,neuturn,glance等组件的服务
[root@linux-node1 keystone]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 75d20be284604d22aa6339f4a92092ad | | enabled | True | | id | af2f8ddb65f54334aec867f364c3ceb4 | | is_domain | False | | name | service | | parent_id | 75d20be284604d22aa6339f4a92092ad | +-------------+----------------------------------+ 查看创建的用户,角色,项目: [root@linux-node1 ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 2c317424791d40409b9563a6be84eb87 | demo | | b157751bed2a49fba654b8aca651d6e2 | admin | +----------------------------------+-------+ [root@linux-node1 ~]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 0eb713b710f74dddae9c05da5b851813 | demo | | 7c0763e1b8a84e628eca4603e8170e31 | admin | | af2f8ddb65f54334aec867f364c3ceb4 | service | +----------------------------------+---------+ [root@linux-node1 ~]# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 81a9712d39cf43c083b1dac1d791220b | user | | f9d64dd56e924013a5625079afb90bd1 | admin | +----------------------------------+-------+
注册keystone服务,虽然keystone本身是搞注册的,但是自己也需要注册服务
创建keystone认证
[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 9b0442ce735142b5a895c4e9d5cac0b5 | | name | keystone | | type | identity | +-------------+----------------------------------+
分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://172.22.0.218:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 93feb7dd80b3405893c409f914e39a4e | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 9b0442ce735142b5a895c4e9d5cac0b5 | | service_name | keystone | | service_type | identity | | url | http://172.22.0.218:5000/v2.0 | +--------------+----------------------------------+ [root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://172.22.0.218:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 444f17d243354ec79bc40cff08123133 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 9b0442ce735142b5a895c4e9d5cac0b5 | | service_name | keystone | | service_type | identity | | url | http://172.22.0.218:5000/v2.0 | +--------------+----------------------------------+ [[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://172.22.0.218:35357/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | db9aaaa9a0cb4b11ae8d0ee610765fea | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 9b0442ce735142b5a895c4e9d5cac0b5 | | service_name | keystone | | service_type | identity | | url | http://172.22.0.218:35357/v2.0 | +--------------+----------------------------------+
查看创建的endpoint:
[root@linux-node1 ~]# openstack endpoint list +---------------------+-----------+--------------+--------------+---------+-----------+----------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +---------------------+-----------+--------------+--------------+---------+-----------+----------------------+ | 444f17d243354ec79bc | RegionOne | keystone | identity | True | internal | http://172.22.0.218: | | 40cff08123133 | | | | | | 5000/v2.0 | | 93feb7dd80b3405893c | RegionOne | keystone | identity | True | public | http://172.22.0.218: | | 409f914e39a4e | | | | | | 5000/v2.0 | | db9aaaa9a0cb4b11ae8 | RegionOne | keystone | identity | True | admin | http://172.22.0.218: | | d0ee610765fea | | | | | | 35357/v2.0 | +---------------------+-----------+--------------+--------------+---------+-----------+----------------------+
删除endpoint:
[root@localhost ~]# openstack endpoint delete xxxxxxxxxxxxxxxx(ID号)
四、链接到keystone,请求token,在这里由于已经添加了用户名和密码,就不在使用token,所有就一定要取消环境变量了
[root@localhost ~]# unset OS_TOKEN
[root@localhost ~]# unset OS_URL
配置keystone环境变量,方便执行命令:
[[root@linux-node1 ~]# vi admin-openrc.sh export OS_PROJECT_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_USER_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://172.22.0.218:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@localhost ~]# vi demo-openrc.sh export OS_PROJECT_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_USER_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_PROJECT_NAME=demo export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://172.22.0.218:5000/v3 export OS_IDENTITY_API_VERSION=3
[root@localhost ~]# chmod +x admin-openrc.sh demo-openrc.sh
[root@localhost ~]# source admin-openrc.sh
[root@localhost ~]# openstack token issue
[root@linux-node1 ~]# openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2018-03-05 10:23:52+00:00 | | id | 7267bebbcc1342f68be476ab51671366 | | project_id | 503b0eab0420454e909a46e476bf1ede | | user_id | faa372fc9c4a45e9870b98a0ab4952ef | +------------+----------------------------------+
获取token表示部署成功!
