*本文介紹系統初始化、keystone、glance的安裝配置過程node
OpenStack交流羣:322596568python
主機分配:mysql
主機名 IP(Static) 系統 配置 角色
linux
openstack 192.168.20.200 CentOS-6.4-x86_64-minimal 4CPU,16G,300G,2網卡 管理節點/計算節點
sql
node01 192.168.20.201 CentOS-6.4-x86_64-minimal 4CPU,16G,300G,2網卡 計算節點數據庫
初始化配置:centos
(1).配置/etc/hosts文件api
[root@openstack ~]# vi /etc/hostsbash
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4網絡
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.21 openstack
192.168.10.22 node01
(2).配置網絡
[root@openstack ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.20.200
NETMASK=255.255.255.0
GATEWAY=192.168.20.2
[root@openstack ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
(3).關閉selinux:
[root@openstack ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
[root@openstack ~]# setenforce 0
(4).修改/etc/sysctl.conf參數:
[root@openstack ~]# vi /etc/sysctl.conf
……………………
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
……………………
[root@openstack ~]#sysctl -p #使sysctl.conf配置生效
(5).關閉多餘的服務(可選):
#!/bin/bash
SERVICE_SUM="auditd blk-availability iscsi iscsid lvm2-monitor mdmonitor multipathd netconsole postfix rdisc restorecond saslauthd"
echo $SERVICE_SUM | xargs -n1 | while read SERVICE
do
chkconfig $SERVICE off
service $SERVICE stop
done
(6).導入第三方安裝源:
[root@openstack ~]# yum -y install http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-3.noarch.rpm
[root@openstack ~]# yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
(7).更新kernel:
[root@openstack ~]# yum -y install kernel-2.6.32-358.123.2.openstack*
(8).安裝OpenStack工具包:
[root@openstack ~]# yum -y install openstack-utils openstack-selinux
(9).重啓:
[root@openstack ~]# reboot
2.安裝配置NTP服務
(1).安裝NTP服務:
[root@openstack ~]# yum -y install ntp
(2).配置NTP服務:
[root@openstack ~]# vi /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict default ignore
restrict 127.0.0.1
restrict 192.168.10.0 mask 255.255.255.0 nomodify notrap
server ntp.api.bz
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
keys /etc/ntp/keys
(3).啓動NTP服務,設置開機自啓動:
[root@openstack ~]# service ntpd start
[root@openstack ~]# chkconfig ntpd on
3.配置安裝MySQL:
(1).安裝MySQL服務:
[root@openstack ~]# yum -y install mysql mysql-server MySQL-python
(yum install mysql MySQL-python in node)
(2).修改MySQL配置文件:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
bind-address = 0.0.0.0 #設置監聽IP地址0.0.0.0
default-storage-engine = innodb
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
(3).啓動MqSQL服務,設置開機自啓動:
[root@openstack ~]# service mysqld start
[root@openstack ~]# chkconfig mysqld on
(4).修改MySQL密碼爲passwd:
[root@openstack ~]# mysqladmin -uroot password 'passwd'; history -c
4.安裝配置qpid服務
(1).安裝qpid服務:
[root@openstack ~]# yum -y install qpid-cpp-server memcached
(2).修改/etc/qpidd.conf配置文件,將auth設置爲no:
[root@openstack ~]# vi /etc/qpidd.conf
……………………
auth=no
(3).啓動qpid服務,設置開機啓動:
[root@openstack ~]# service qpidd start
[root@openstack ~]# chkconfig qpidd on
5.安裝配置KeyStone
(1).安裝KeyStone服務:
[root@openstack ~]# yum -y install openstack-keystone python-keystoneclient
(2).建立keystone數據庫,修改配置文件中的數據庫連接:
[root@openstack ~]# openstack-db --init --service keystone --rootpw passwd
(3).修改配置文件中的數據庫連接:
[root@openstack ~]# openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:keystone@localhost/keystone
(4).使用openssl隨即生成一個令牌,將其存儲在配置文件中:
[root@openstack ~]# export SERVICE_TOKEN=$(openssl rand -hex 10) //隨機生成SERVICE_TOKEN值,請牢記
[root@openstack ~]# export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
[root@openstack ~]# mkdir /root/config
[root@openstack ~]# echo $SERVICE_TOKEN > /root/config/ks_admin_token.txt
[root@openstack ~]# cat /root/config/ks_admin_token.txt
12dd70ede7c9d9d3ed3c
[root@openstack ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $SERVICE_TOKEN
*注:將生成的SERVICE_TOKEN值寫入文件中保存,以備後續使用,後面涉及到的SERVICE_TOKEN值都是在ks_admin_token.txt文件中獲取的。因此一旦寫入文件,不要再次運行命令生成SERVICE_TOKEN,不然先後不一致會爲調試帶來麻煩。
(5).默認狀況下keysonte使用PKI令牌。建立簽名密鑰和證書:
[root@openstack ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
[root@openstack ~]# chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
(6).啓動keystone服務,設置開機自啓動:
[root@openstack ~]# service openstack-keystone start
[root@openstack ~]# chkconfig openstack-keystone on
[root@openstack ~]# (crontab -l 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/root
5.2.定義Users、Tenants and Roles
(1).修改.bash_profile文件,添加如下參數:
[root@openstack ~]# vi .bash_profile
………………
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
export SERVICE_TOKEN=12dd70ede7c9d9d3ed3c
………………
執行下面的命令使變量即時生效:
[root@openstack ~]# source .bash_profile
(2).建立一個管理員用戶admin:
[root@openstack ~]# keystone user-create --name=admin --pass=password --email=keystone@chensh.net
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | keystone@chensh.net |
| enabled | True |
| id | 16df18d2617943ea8b0cfce39e7e6541 |
| name | admin |
| username | admin |
+----------+----------------------------------+
(3).建立一個管理員角色admin:
[root@openstack ~]# keystone role-create --name=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 90ef9ebcdcbc47178cf959911ce0569e |
| name | admin |
+----------+----------------------------------+
(4).爲管理員用戶建立一個tenant:
[root@openstack ~]# keystone tenant-create --name=admin --description='Admin Tenant'
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 4af98cdce9ea449b90c8dfec454b2b9f |
| name | admin |
+-------------+----------------------------------+
(5).將角色添加到用戶:
Link the admin user, admin role, and admin tenant together using the user-role-add option:
[root@openstack ~]# keystone user-role-add --user=admin --tenant=admin --role=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Link the admin user, _member_ role, and admin tenant:
[root@openstack ~]# keystone user-role-add --user=admin --role=_member_ --tenant=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
(6).建立一個Service tenant:
[root@openstack ~]# keystone tenant-create --name=service --description='Service Tenant'
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 7202578800e245808231cdfc07d26100 |
| name | service |
+-------------+----------------------------------+
5.3.定義Services 和 API Endpoints
(1).爲KeyStone建立一個服務:
[root@openstack ~]# keystone service-create --name=keystone --type=identity --description="KeystoneIdentity Service"
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | KeystoneIdentity Service |
| enabled | True |
| id | 05224edaf29c4fa9a1d600749edc46b9 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
(2).使用服務ID建立一個endpoint:
[root@openstack ~]# vi /root/config/keystone.sh
#!/bin/bash
my_ip=0.0.0.0
service=$(keystone service-list | awk '/keystone/ {print $2}')
keystone endpoint-create --service-id=$service --publicurl=http://$my_ip:5000/v2.0 --internalurl=http://$my_ip:5000/v2.0 --adminurl=http://$my_ip:35357/v2.0
[root@openstack ~]# sh /root/config/keystone.sh
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://0.0.0.0:35357/v2.0 |
| id | c356f86d4c1c4be89274f23f86ed4d1e |
| internalurl | http://0.0.0.0:5000/v2.0 |
| publicurl | http://0.0.0.0:5000/v2.0 |
| region | regionOne |
| service_id | 05224edaf29c4fa9a1d600749edc46b9 |
+-------------+----------------------------------+
[root@openstack ~]# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-------+---------+---------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+---------------------+
| 16df18d2617943ea8b0cfce39e7e6541 | admin | True | keystone@chensh.net |
+----------------------------------+-------+---------+---------------------+
[root@openstack ~]# keystone user-role-list --user admin --tenant admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 16df18d2617943ea8b0cfce39e7e6541 | 4af98cdce9ea449b90c8dfec454b2b9f |
| 90ef9ebcdcbc47178cf959911ce0569e | admin | 16df18d2617943ea8b0cfce39e7e6541 | 4af98cdce9ea449b90c8dfec454b2b9f |
+----------------------------------+----------+----------------------------------+----------------------------------+
6.安裝配置Glance
6.1.初始化Glance
(1).安裝Glance服務:
[root@openstack ~]# yum -y install openstack-glance
(2).建立Glance數據庫:
[root@openstack ~]# openstack-db --init --service glance --rootpw passwd
(3).修改配置文件中的數據庫連接:
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT sql_connection mysql://glance:glance@localhost/glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf DEFAULT sql_connection mysql://glance:glance@localhost/glance
6.2.建立User,定義Services 和 API Endpoints
(1).爲Glance服務建立一個glance用戶:
[root@openstack ~]# keystone user-create --name=glance --pass=service --email=glance@chensh.net
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | glance@chensh.net |
| enabled | True |
| id | e52a0f54a49346c485e68558d2c3f1fb |
| name | glance |
| username | glance |
+----------+----------------------------------+
[root@openstack ~]# keystone user-role-add --user=glance --tenant=service --role=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
(2).爲glance建立一個服務:
[root@openstack ~]# keystone service-create --name=glance --type=image --description="Glance ImageService"
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Glance ImageService |
| enabled | True |
| id | 28fe6663aa404a0b8686c759de618240 |
| name | glance |
| type | image |
+-------------+----------------------------------+
(3).使用服務ID建立一個endpoint:
[root@openstack ~]# vi /root/config/glance.sh
#!/bin/bash
my_ip=0.0.0.0
service=$(keystone service-list | awk '/glance/ {print $2}')
keystone endpoint-create --service-id=$service --publicurl=http://$my_ip:9292 --internalurl=http://$my_ip:9292 --adminurl=http://$my_ip:9292
[root@openstack ~]# sh /root/config/glance.sh
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://0.0.0.0:9292 |
| id | 72aa5379814c495fb679504358443457 |
| internalurl | http://0.0.0.0:9292 |
| publicurl | http://0.0.0.0:9292 |
| region | regionOne |
| service_id | 28fe6663aa404a0b8686c759de618240 |
+-------------+----------------------------------+
6.3.配置Glance服務
[root@openstack ~]# cp -av /etc/glance/glance-api.conf /etc/glance/glance-api.conf_bak
[root@openstack ~]# cp -av /etc/glance/glance-registry.conf /etc/glance/glance-registry.conf_bak
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT rpc_backend qpid
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT qpid_hostname $HOSTNAME
(1).將keystone認證信息添加到glance配置文件中:
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_uri http://0.0.0.0:5000
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_port 35357
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_protocol http
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_password service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_uri http://0.0.0.0:5000
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_port 35357
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_protocol http
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_password service
(2).修改ini文件路徑,將keystone認證信息添加到ini文件中:
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf paste_deploy config_file /etc/glance/glance-api-paste.ini
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf paste_deploy config_file /etc/glance/glance-registry-paste.ini
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystone
[root@openstack ~]# cp /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini
[root@openstack ~]# cp /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini
[root@openstack ~]# chown -R root:glance /etc/glance/glance-api-paste.ini
[root@openstack ~]# chown -R root:glance /etc/glance/glance-registry-paste.ini
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_password service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_password service
(3).修改鏡像文件的存放路徑(默認存放在/var/lib/glance目錄下,若不需修改,此步驟可省略)
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT filesystem_store_datadir /openstack/glance/images/
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT scrubber_datadir /openstack/glance/scrubber
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT image_cache_dir /openstack/glance/image-cache/
[root@openstack ~]# mkdir /openstack
[root@openstack ~]# cp -a /var/lib/glance/ /openstack/
[root@openstack ~]# chown -R glance:glance /openstack/glance/
(4).啓動glance服務,設置開機自啓動
[root@openstack ~]# service openstack-glance-api start
[root@openstack ~]# service openstack-glance-registry start
[root@openstack ~]# chkconfig openstack-glance-api on
[root@openstack ~]# chkconfig openstack-glance-registry on
6.4.Glance測試
(1).上傳鏡像
[root@openstack ~]# glance image-create --name=centos6.4_20G --disk-format=qcow2 --container-format=ovf --is-public=true < /root/centos6.4-mini_x64.qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 4b16b4bcfd7f4fe7f0f2fdf8919048b4 |
| container_format | ovf |
| created_at | 2014-03-31T06:26:26 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 45456157-9b46-4e40-8ee3-fbb2e40f227b |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | centos6.4_20G |
| owner | 446893f3733b4294a7080f3b0bf1ba61 |
| protected | False |
| size | 698023936 |
| status | active |
| updated_at | 2014-03-31T06:26:30 |
+------------------+--------------------------------------+
(2).查看鏡像
[root@openstack ~]# glance image-list
+--------------------------------------+---------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------+-------------+------------------+-----------+--------+
| 45456157-9b46-4e40-8ee3-fbb2e40f227b | centos6.4_20G | qcow2 | ovf | 698023936 | active |
+--------------------------------------+---------------+-------------+------------------+-----------+--------+