OpenStack Networking(neutron) 需要一个控制节点(controller node)、一个网络节点(networknode)以及至少一个计算节点(compute node)。一、物理环境部署
1.物理环境规划
表1.1. OpenStack环境部署
二、安装前的部署
1.1配置主机名
1
2
| root@controller:~# vim /etc/hostname
controller
|
1.2 配置IP地址
1
2
3
4
5
6
| root@controller:~# vim /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.100.100
netmask 255.255.255.0
gateway 192.168.100.2
|
1.3 配置名称解析hosts
1
2
3
4
5
6
7
| root@network:~# vim /etc/hosts
# controller
192.168.100.100 controller
# network
192.168.100.101 network
# compute1
192.168.100.102 compute1
|
2. 网络时间协议ntp
2.1 安装ntp服务器
1
| root@controller:~# sudo apt-get install ntp
|
2.2 配置/etc/ntp.conf 服务
1
2
3
| server ntp.ubuntu.com iburst
restrict -4 default kod notrap nomodify
restrict -6 default kod notrap nomodify
|
2.3重启ntp服务
1
| root@controller:~# sudo /etc/init.d/ntprestart
|
3.系统升级更新
3.1 更新openstack 仓库源
3.2升级软件包,如果升级过程中包含内核的升级,需要重启服务器。
1
2
| root@controller:~# apt-get update
root@controller:~# sudo apt-getdist-upgrade
|
三、安装数据库
1. 安装数据库软件包并设置数据库账户root密码
1
| root@controller:~# sudo apt-get installmariadb-server python-mysqldb
|
2. 配置/etc/mysql/my.cnf
1
2
3
4
5
6
| bind-address = 192.168.100.100
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
|
3.重启mysql服务 1
2
3
4
| root@controller:~# sudo /etc/init.d/mysql restart
* Stopping MariaDBdatabase server mysqld[OK]
* Starting MariaDB database server mysqld [ OK ]
* Checkingfor corrupt, not cleanly closed and upgrade needing tables.
|
4.数据库安全加固 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| root@controller:~# mysql_secure_installation
/usr/bin/mysql_secure_installation: 379:/usr/bin/mysql_secure_installation: find_mysql_client: not found
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FORALL MariaDB
SERVERS INPRODUCTION USE! PLEASE READ EACH STEPCAREFULLY!
In order to log into MariaDB to secure it, we'll need thecurrent
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password willbe blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can loginto the MariaDB
root user without the proper authorisation.
You already have a root password set, so you can safelyanswer 'n'.
Change the root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user,allowing anyone
to log into MariaDB without having to have a user accountcreated for
them. This isintended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from'localhost'. This
ensures that someone cannot guess at the root passwordfrom the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test'that anyone can
access. This isalso intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping testdatabase...
ERROR 1008 (HY000) at line 1: Can't drop database 'test';database doesn't exist
... Failed! Not critical, keep moving...
- Removingprivileges on test database...
... Success!
Reloading the privilege tables will ensure that allchanges made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! Ifyou've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
|
四、安装消息队列服务
1. 安装软件包
1
| root@controller:~# sudo apt-get installrabbitmq-server
|
2. 配置消息队列服务
2.1 添加openstack 用户
1
2
| root@controller:~# sudo rabbitmqctladd_user openstack 2015OS##
Creating user "openstack" ...
|
2.2. 设置openstack用户有读写的权限
1
2
| root@controller:~# sudo rabbitmqctlset_permissions openstack ".*" ".*" ".*"
Setting permissions for user"openstack" in vhost "/" ...
|
五、安装身份验证服务(Identityservices)
1. Openstack 身份验证概念
图1.1 The Keystone Identiy concepts
2. Openstack keystone身份验证管理
图1.2 The Keystone Identiy Manager
3.安装配置
3.1 数据库配置
3.1.1 创建数据库
1
2
3
| root@controller:~# mysql -uroot –p
MariaDB [(none)]> create databasekeystone;
Query OK, 1 row affected (0.03 sec)
|
3.1.2 给数据库授权
1
2
3
4
5
6
7
| MariaDB [(none)]> GRANT ALLPRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'sfzhang1109';
Query OK, 0 rows affected (0.11 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGESON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'sfzhang1109';
Query OK, 0 rows affected (0.03 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.02 sec)
|
3.1.3 退出数据库客户端
1
2
| MariaDB [(none)]> exit
Bye
|
3.2 生成一个随机值在初始配置的过程中做为管理员的令牌。
1
2
| root@controller:~# openssl rand -hex 10
f7db38628bd546819169
|
3.3 安装配置身份验证服务
3.3.1禁止keystone服务自动启动
1
| root@controller:~# # echo"manual" > /etc/init/keystone.override
|
3.3.2 运行下面命令安装软件包
1
| root@controller:~# sudo apt-get installkeystone python-openstackclient apache2 libapache2-mod-wsgi memcachedpython-memcache
|
3.3.3 配置keystone /etc/keystone/keystone.conf配置文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| 1)在[DEFAULT]段中对管理员的令牌进行配置
[DEFAULT]
…
admin_token = f7db38628bd546819169
2)在[database]段中对数据库访问进行配置
[database]
…
connection = mysql://keystone:sfzhang1109@controller/keystone
3)在[memcache]段中对memcache进行配置
[memcache]
…
servers = localhost:11211
4)在 [token] 部分,设置 UUID 令牌的提供者和memcached驱动
[token]
…
provider =keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token
5)在 [revoke] 部分,配置 SQL 的撤回驱动
[revoke]
…
driver =keystone.contrib.revoke.backends.sql.Revoke
6)在 [DEFAULT] 段中开启详细日志配置,为后期的故障排除提供帮助
[DEFAULT]
…
verbose = True
|
3.4初始化身份认证服务的数据库
1
2
3
4
5
6
7
| root@controller:~# su -s /bin/sh -c"keystone-manage db_sync" keystone
2015-08-28 16:58:00.679 11542 INFOmigrate.versioning.api [-] 43 -> 44...
2015-08-28 16:58:02.694 11542 INFOmigrate.versioning.api [-] done
2015-08-28 16:58:02.694 11542 INFOmigrate.versioning.api [-] 44 -> 45...
2015-08-28 16:58:02.700 11542 INFOmigrate.versioning.api [-] done
2015-08-28 16:58:02.701 11542 INFOmigrate.versioning.api [-] 45 -> 46...
…
|
3.5配置Apache HTTP服务
1)编辑/etc/apache2/apache2.conf配置文件添加
2)编辑/etc/apache2/sites-available/wsgi-keystone.conf配置文件添加
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystonedisplay-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias/ /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion>= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog/var/log/apache2/keystone-error.log
CustomLog/var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystonedisplay-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias/ /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorizationOn
<IfVersion>= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog/var/log/apache2/keystone-error.log
CustomLog/var/log/apache2/keystone-access.log combined
</VirtualHost>
|
3)启用基于虚拟主机的身份认证服务。
1
| root@controller:~# ln -s/etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
|
4)为WSGI创建目录结构
1
| root@controller:~# mkdir -p /var/www/cgi-bin/keystone
|
5)拷贝WSGI组件到/var/www/cgi-bin/keystone目录里面
6)设置目录的和文件的访问权限
1
2
| root@controller:~# chown -Rkeystone:keystone /var/www/cgi-bin/keystone
root@controller:~# chmod 755/var/www/cgi-bin/keystone/*
|
3.6 安装完成
1)重启apache服务
1
2
| root@controller:~# /etc/init.d/apache2start
*Starting web server apache2
|
2)默认会创建SQLite数据库,因为使用的是MYSQL数据库,因此要删除QLite数据库文件
1
| root@controller:~# rm -f/var/lib/keystone/keystone.db
|
4.创建服务实体和API
4.1配置前的准备
1)配置管理员身份验证令牌,这里的值为keystone.conf 配置文件里面admin_token的值
1
| root@controller:~# exportOS_TOKEN=f7db38628bd546819169
|
2)配置入口点
1
| root@controller:~# exportOS_URL=http://controller:35357/v2.0
|
4.2 创建服务实体和API端点
1)创建服务实体和身份认证服务
2)创建身份认证服务的API端点
5.创建租户,用户和角色
身份认证服务(Identity service)为openstack每个服务提供身份验证服务。主要包括租户、用户和角色。
1) 创建管理员租户、用户和角色以便执行管理员操作 1.1 创建admin租户 1
2
3
4
5
6
7
8
9
| root@controller:~# openstack project create--description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | d04d4985d62f42e2af2ddc35f442ffd9 |
| name | admin |
+-------------+----------------------------------+
|
1.2创建admin用户(密码:admin)
1
2
3
4
5
6
7
8
9
10
11
12
| root@controller:~# openstack user create--password-prompt admin
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 19a358fd76014727bf0e5ef5b174c567 |
| name | admin |
| username | admin |
+----------+----------------------------------+
|
1.3创建admin角色
1
2
3
4
5
6
7
| root@controller:~# openstack role createadmin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 05616505a61c4aa78f43fba9e60ba7fc |
| name | admin |
+-------+----------------------------------+
|
1.4 将admin租户和用户添加到admin角色
1
2
3
4
5
6
7
| root@controller:~# openstack role add--project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 05616505a61c4aa78f43fba9e60ba7fc |
| name | admin |
+-------+----------------------------------+
|
6.身份验证
1)为了安全起见,禁用临时身份验证令牌机制
编辑/etc/keystone/keystone-paste.ini配置文件,删除[pipeline:public_api], [pipeline:admin_api], 和[pipeline:api_v3]内容。
1
2
3
4
5
6
| [pipeline:public_api]
pipeline = …
[pipeline:admin_api]
pipeline = …
[pipeline:api_v3]
pipeline = …
|
2)取消临时环境变量的设置OS_TOKEN OS_URL
1
| root@controller:~# unset OS_TOKEN OS_URL
|
3)使用admin用户,请求的身份验证令牌版本2.0API
1
2
3
4
5
6
7
8
9
10
11
12
| root@controller:~# openstack --os-auth-urlhttp://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-08-31T08:22:23Z |
| id | 87e7b6778d1649a5a64415d41b7645dc |
| project_id |d04d4985d62f42e2af2ddc35f442ffd9 |
| user_id | 19a358fd76014727bf0e5ef5b174c567 |
+------------+----------------------------------+
|
4)使用admin用户,显示租户认证服务
1
2
3
4
5
6
7
8
9
| root@controller:~# openstack --os-auth-urlhttp://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
project list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| d04d4985d62f42e2af2ddc35f442ffd9 | admin |
+----------------------------------+-------+
|
5)使用admin用户,显示用户认证服务
1
2
3
4
5
6
7
8
9
| root@controller:~# openstack --os-auth-urlhttp://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
user list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 19a358fd76014727bf0e5ef5b174c567 | admin |
+----------------------------------+-------+
|
6)使用admin用户,显示角色认证服务
1
2
3
4
5
6
7
8
9
| root@controller:~# openstack --os-auth-urlhttp://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
role list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 05616505a61c4aa78f43fba9e60ba7fc | admin |
+----------------------------------+-------+
|
7.创建OpenStack客户端脚本环境
1)创建脚本文件admin-openrc.sh,如果是管理员使用的是35357端口,如何是普通用户则使用5000端口
1
2
3
4
5
6
7
8
| root@controller:~# cat admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
|
2)加载客户端环境脚本
1
| root@controller:~# source admin-openrc.sh
|
3)请求身份验证令牌
1
2
3
4
5
6
7
8
9
| root@controller:~# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-08-31T09:33:20.091020Z |
| id | 1c0d3fc7cfb94e76b9cf5a7548436580 |
| project_id |d04d4985d62f42e2af2ddc35f442ffd9 |
| user_id | 19a358fd76014727bf0e5ef5b174c567 |
+------------+----------------------------------+
|
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2015-9-2 09:23:46
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡