基于 openEuler 22.09 的 OpenStack Yoga 部署
openEuler 虚拟化环境部署
使用 VMWare Workstation 创建三台 2 CPU、8G内存、100 GB硬盘 的虚拟机
| 主机 | IP | 作用 |
| Controller | 192.168.184.110 | 控制节点 |
| Compute | 192.168.184.111 | 计算节点 |
| Storage | 192.168.184.112 | 存储节 |
一 基础配置
1.1 配置 yum 源
由于 openEuler 22.09 系统已经停止维护了,所以我们需要修改 yum 源为官方 Archive 的 yum 源
打开 /etc/yum.repos.d/openEuler.repo 文件,将下面所有涉及到 http://repo.openeuler.org/ 的部分改成 https://archives.openeuler.openatom.cn/
在三台机器上
[root@controller ~]#
sed -i 's|http://repo.openeuler.org/|https://archives.openeuler.openatom.cn/|g' /etc/yum.repos.d/openEuler.repo
# 然后更新 yum 源
[root@controller ~]# dnf update
1.2关闭防火墙等
在三台机器上
# 关闭防火墙
[root@controller ~]# systemctl disable --now firewalld
# 关闭 SELinux
[root@controller ~]# vi /etc/selinux/config
# 修改以下内容
SELINUX=disabled
修改hosts
在三台机器上
[root@controller ~]# cat >> /etc/hosts << EOF
192.168.184.110 controller
192.168.184.111 compute
192.168.184.112 storage
EOF
此时最好重启一下机器,以便应用刚才关闭的 SELinux
1.3 时间同步
集群要求每个节点的时间要保持一致,一半由时间同步软件保证,这里使用 chrony 软件
Controller 节点
首先,安装 chrony 服务
[root@controller ~]# dnf install -y chrony
然后,修改 /etc/chrony.conf 配置文件,新增如下内容
# 表示允许哪些IP从本节点同步时钟
pool ntp.aliyun.com iburst
allow 192.168.184.0/24
然后重启服务
[root@controller ~]# systemctl restart chronyd
其他两个节点
首先一样,安装 chrony 服务
[root@compute ~]# dnf install -y chrony
修改 /etc/chrony.conf 配置文件,修改内容如下
[root@compute ~]# vi /etc/chrony.conf
# pool pool.ntp.org iburst
↑ 注释掉这行
[root@compute ~]# echo "server 192.168.184.110 iburst" >> /etc/chrony.conf
然后重启服务
[root@compute ~]# systemctl restart chronyd
配置完成后,检查一下结果,在其他非controller节点执行
[root@compute ~]# chronyc sources
返回结果如下所示,表示成功从 controller 同步时间
1.4安装数据库
数据库需要安装在 Controller 节点,这里我们选用 MariaDB 作为我们的数据库
首先安装 MariaDB
[root@controller ~]# dnf install mysql-config mariadb mariadb-server python3-PyMySQL -y
新增配置文件 /etc/my.cnf.d/openstack.cnf 内容如下所示
[root@controller ~]# vi /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.184.110
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
然后启动服务器
[root@controller ~]# systemctl start mariadb
然后初始化数据库
[root@controller ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
# 这里输入密码,由于我们是初始化MariaDB,直接回车就行
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
# 这里根据提示输入N
Switch to unix_socket authentication [Y/n] n
... skipping.
You already have your root account protected, so you can safely answer 'n'.
# 输入Y,修改密码
Change the root password? [Y/n] y
# 这里输入两次密码
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
# 输入Y,删除匿名用户
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
# 输入Y,关闭root远程登录权限
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
# 输入Y,删除test数据库
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
# 输入Y,重载配置
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
然后我们来验证一下
[root@controller ~]# mysql -uroot -p
# 输入密码
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
1.5 安装消息队列
消息队列安装在 Controller 节点,这里使用 rabbitmq 作为消息队列
首先,来安装软件包
[root@controller ~]# dnf install rabbitmq-server -y
然后启动服务
[root@controller ~]# systemctl start rabbitmq-server
然后配置openstack用户,RABBIT_PASS是openstack服务登录消息队里的密码,需要和后面各个服务的配置保持一致
[root@controller ~]# rabbitmqctl add_user openstack 000000
[root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
这里面的 000000 是 RABBIT_PASS,可以自己改,但是一定要记住
1.6 安装缓存服务
消息队列安装在 Controller 节点,这里使用 Memcached
首先,安装软件包
[root@controller ~]# dnf install memcached python3-memcached -y
修改配置文件 /etc/sysconfig/memcached
[root@controller ~]# vi /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-1 127.0.0.1,::1,controller"
然后启动服务
[root@controller ~]# systemctl start memcached
二 部署服务
2.1 Keystone
Keystone 是 OpenStack 的身份服务(Identity Service),它负责管理用户、角色、项目(租户)和域的认证和授权。Keystone 是 OpenStack 的核心组件之一,所有其他 OpenStack 服务都依赖于 Keystone 来进行用户身份验证和授权,必须安装。
Controller 节点
首先创建 Keystone 数据库并授权
[root@controller ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.009 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000 ';
Query OK, 0 rows affected (0.013 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.002 sec)
MariaDB [(none)]> exit
Bye
然后安装软件包
[root@controller ~]# dnf install openstack-keystone httpd mod_wsgi -y
然后配置 Keystone 配置文件
[root@controller ~]# vi /etc/keystone/keystone.conf
# 配置数据库入口
[database]
connection = mysql+pymysql://keystone:000000@controller/keystone
# 配置token provider
[token]
provider = fernet
然后同步数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
然后初始化 Fernet 密钥仓库
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
然后启动服务
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
然后配置 Apache HTTP Server
打开 httpd.conf 文件配置
[root@controller ~]# vi /etc/httpd/conf/httpd.conf
# 修改以下项,如果没有则新添加
ServerName controller
然后创建软连接
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
然后启动 Apache HTTP 服务
[root@controller ~]# systemctl enable --now httpd.service
[root@controller ~]# systemctl status httpd.service
然后创建环境变量配置
[root@controller ~]# cat << EOF >> ~/.admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
然后一次创建 domain, projects, users, roles
但是首先需要安装 python3-openstackclient
[root@controller ~]# dnf install python3-openstackclient -y
然后导入环境
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
创建 Project Service,其中 Domain Default 在 Keystone-mange bootstrap 时已创建
[root@controller ~]# openstack domain create --description "An Example Domain" example
[root@controller ~]# openstack project create --domain default --description "Service Project" service
创建(non-admin)project myproject,user myuser 和 role myrole,为 myproject 和 myuser 添加角色myrole
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
[root@controller ~]# openstack user create --domain default --password-prompt myuser
密码:000000
[root@controller ~]# openstack role create myrole
将角色 myrole 分配给用户 myuser,并关联到项目 myproject,并验证角色是否已成功分配
[root@controller ~]# openstack role add --project myproject --user myuser myrole
[root@controller ~]# openstack role assignment list --project myproject --user myuser
然后对此进行验证
取消临时环境变量 OS_AUTH_URL和OS_PASSWORD
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
为 admin 用户请求 token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password: 000000
为 myuser 用户请求 token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
Password: 000000
2.2 Glance
Glance 是 OpenStack 中的镜像服务(Image Service),负责管理和存储虚拟机镜像。它允许用户上传、下载、删除和查询虚拟机镜像,并支持多种镜像格式(如 QCOW2、RAW、VMDK 等)。Glance 是 OpenStack 计算服务(Nova)的核心组件之一,为虚拟机提供启动镜像,必须安装
Controller 节点
首先创建 glance 数据库并授权
[root@controller ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE glance;
Query OK, 1 row affected (0.011 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY '000000 ';
Query OK, 0 rows affected (0.018 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.011 sec)
MariaDB [(none)]> exit
Bye
初始化 glance 资源对象
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
创建用户时,命令行会提示输入密码,请输入自定义的密码
[root@controller ~]# openstack user create --domain default --password-prompt glance
User Password: 000000
Repeat User Password: 000000
添加 glance 用户到 Service Project 并指定 admin 角色
[root@controller ~]# openstack role add --project service --user glance admin
创建 glance 服务实例
[root@controller ~]# openstack service create --name glance --description "OpenStack Image" image
创建 glance API 服务
[root@controller ~]# openstack endpoint create --region RegionOne image public http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne image internal http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne image admin http://controller:9292
然后安装软件包
[root@controller ~]# dnf install openstack-glance -y
然后修改 glance 配置文件
[root@controller ~]# vi /etc/glance/glance-api.conf
# 添加/修改 以下内容
[database]
connection = mysql+pymysql://glance:000000@controller/glance
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = glance
password = 000000
[paste_deploy]
flavor = keystone
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
启动数据库
[root@controller ~]# su -s /bin/sh -c "glance-manage db_sync" glance
然后启动服务
[root@controller ~]# systemctl enable --now openstack-glance-api.service
然后导入环境变量并验证
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
然后下载镜像
[root@controller ~]# wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img
然后再向 Image 服务上传镜像
[root@controller ~]# openstack image create --disk-format qcow2 --container-format bare \
--file cirros-0.4.0-x86_64-disk.img --public cirros
确认镜像上传并验证属性
[root@controller ~]# openstack image list
2.3 Placement
Placement 是 OpenStack 中的一个核心服务,主要负责资源调度和分配。它是 OpenStack 计算服
务(Nova)的重要组成部分,用于管理计算节点的资源(如 CPU、内存、存储等),并确保资源的有效利用和负载均衡
Controller 节点
安装、配置Placement服务前,需要先创建相应的数据库、服务凭证和API endpoints
[root@controller ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 49
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE placement;
Query OK, 1 row affected (0.010 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.055 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.005 sec)
MariaDB [(none)]> exit
Bye
然后配置用户和Endpoint
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
创建 placement 用户并设置用户密码
[root@controller ~]# openstack user create --domain default --password-prompt placement
User Password: 000000
Repeat User Password: 000000
添加placement用户到service project并指定admin角色
[root@controller ~]# openstack role add --project service --user placement admin
创建 plancement 服务实体
[root@controller ~]# openstack service create --name placement \
--description "Placement API" placement
创建 Plance API 服务 Endpoints
[root@controller ~]# openstack endpoint create --region RegionOne \
placement public http://controller:8778
[root@controller ~]# openstack endpoint create --region RegionOne \
placement internal http://controller:8778
[root@controller ~]# openstack endpoint create --region RegionOne \
placement admin http://controller:8778
然后安装相关软件包
[root@controller ~]# dnf install openstack-placement-api -y
编辑 /etc/placement/placement.conf配置文件
[root@controller ~]# vi /etc/placement/placement.conf
[placement_database]
connection = mysql+pymysql://placement:000000@controller/placement
[api]
auth_strategy = keystone
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = placement
password = 000000
数据库同步,填充 Placement 数据库
[root@controller ~]# su -s /bin/sh -c "placement-manage db sync" placement
然后通过重启 httpd 服务来启动服务
[root@controller ~]# systemctl restart httpd
然后我们来验证一下
通过 source admin 凭证,以获取 admin 命令行权限
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
执行状态检查
[root@controller ~]# placement-status upgrade check
这里可以看到Policy File JSON to YAML Migration的结果为Failure
这是因为在Placement中,JSON格式的policy文件从Wallaby版本开始已处于deprecated状态
可以参考提示,使用oslopolicy-convert-json-to-yaml工具 将现有的JSON格式policy文件转化为YAML格式
[root@controller ~]# oslopolicy-convert-json-to-yaml --namespace placement \
--policy-file /etc/placement/policy.json \
--output-file /etc/placement/policy.yaml
[root@controller ~]# mv /etc/placement/policy.json{,.bak}
注:当前环境中此问题可忽略,不影响运行。
然后针对 placement API 运行命令
首先来安装 osc-placement 插件
[root@controller ~]# dnf install python3-osc-placement -y
然后列出可用的资源类别以及特性
[root@controller ~]# openstack --os-placement-api-version 1.2 resource class list --sort-column name
[root@controller ~]# openstack --os-placement-api-version 1.6 trait list --sort-column name
2.4 Nova
Nova 是 OpenStack 中的核心组件之一,负责管理虚拟机实例(VM)的生命周期
它提供了虚拟机的创建、调度、启动、停止、重启、删除等功能
Nova 依赖于其他 OpenStack 组件(如 Keystone 用于身份认证,Glance 用于镜像管理,Neutron 用于网络管理等)来完成其工作
Controller节点
安装、配置Placement服务前,需要先创建相应的数据库、服务凭证和API endpoints
[root@controller ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 24
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE nova_api;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> CREATE DATABASE nova;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> CREATE DATABASE nova_cell0;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> exit
Bye
然后配置用户和 Engpoints
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
创建nova用户并设置用户密码
[root@controller ~]# openstack user create --domain default --password-prompt nova
User Password:000000
Repeat User Password:000000
然后添加nova用户到service project并指定admin角色
[root@controller ~]# openstack role add --project service --user nova admin
创建nova服务实体
[root@controller ~]# openstack service create --name nova --description "OpenStack Compute" compute
创建NovaAPI服务endpoints
[root@controller ~]# openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1
[root@controller ~]# openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1
[root@controller ~]# openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1
然后安装及配置组件
[root@controller ~]# dnf install openstack-nova-api openstack-nova-conductor openstack-nova-novncproxy openstack-nova-scheduler -y
编辑 /etc/nova/nova.conf 配置文件
[root@controller~]# vi /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:000000@controller:5672/
my_ip = 192.168.184.110
log_dir = /var/log/nova
[api]
auth_strategy = keystone
[api_database]
connection = mysql+pymysql://nova:000000@controller/nova_api
[database]
connection = mysql+pymysql://nova:000000@controller/nova
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = 000000
[vnc]
enabled = true/
server_listen = $my_ip
server_proxyclient_address = $my_ip
[glance]
api_servers = http://controller:9292
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = 000000
然后同步数据库
首先同步nova-api数据库
[root@controller ~]# su -s /bin/sh -c "nova-manage api_db sync" nova
注册 cell0数据库
[root@controller ~]# su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
注册cell1 cell
[root@controller ~]# su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova
同步nova数据库
[root@controller ~]# su -s /bin/sh -c "nova-manage db sync" nova
验证cell0和cell1注册正确
[root@controller ~]# su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova
然后启动服务
[root@controller ~]# systemctl enable --now \
openstack-nova-api.service \
openstack-nova-scheduler.service \
openstack-nova-conductor.service \
openstack-nova-novncproxy.service
Compute节点
首先让我们来安装软件包
[root@compute ~]# dnf install openstack-nova-compute -y
编辑 /etc/nova/nova.conf 配置文件
[root@compute ~]# vi /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:000000@controller:5672
/my_ip = 192.168.184.111
compute_driver = libvirt.LibvirtDriver
instances_path = /var/lib/nova/instances
log_dir = /var/log/nova
[api]
auth_strategy = keystone
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = 000000
[vnc]
enabled = true
server_listen = $my_ip
server_proxyclient_address = $my_ip
novncproxy_base_url = http://controller:6080/vnc_auto.html
[glance]
api_servers = http://controller:9292
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = 000000
根据情况需要可以省略的步骤
然后确认compute节点是否支持虚拟机硬件加速(x86_64-Intel)
处理器为x86_64架构时,可通过运行如下命令确认是否支持硬件加速:
[root@compute ~]# egrep -c '(vmx|svm)' /proc/cpuinfo
如果返回值为0则不支持硬件加速,需要配置libvirt使用QEMU而不是默认的KVM。编辑 /etc/nova/nova.conf 的 [libvirt] 部分:
[root@compute ~]# vi /etc/nova/nova.conf
[libvirt]
virt_type = qemu
如果返回值为1或更大的值,则支持硬件加速,不需要进行额外的配置。
确认计算节点是否支持虚拟机硬件加速(arm64-AMD)
处理器为arm64架构时,可通过运行如下命令确认是否支持硬件加速
[root@compute ~]# virt-host-validate
该命令由libvirt提供,此时libvirt应已作为openstack-nova-compute依赖被安装,环境中已有此命令
显示FAIL时,表示不支持硬件加速,需要配置libvirt使用QEMU而不是默认的KVM。
QEMU: Checking if device /dev/kvm exists: FAIL (Check that CPU and firmware supports virtualization and kvm module is loaded)
编辑/etc/nova/nova.conf的[libvirt]部分
[root@compute ~]# /etc/nova/nova.conf
[libvirt]
virt_type = qemu
显示PASS时,表示支持硬件加速,不需要进行额外的配置。
QEMU: Checking if device /dev/kvm exists: PASS
配置qemu(仅arm64)
仅当处理器为arm64架构时需要执行此操作。
编辑/etc/libvirt/qemu.conf
[root@compute ~]# vi /etc/libvirt/qemu.conf
nvram = ["/usr/share/AAVMF/AAVMF_CODE.fd: \
/usr/share/AAVMF/AAVMF_VARS.fd", \
"/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw: \
/usr/share/edk2/aarch64/vars-template-pflash.raw"]
编辑/etc/qemu/firmware/edk2-aarch64.json
[root@compute ~]# vi /etc/qemu/firmware/edk2-aarch64.json
{
"description": "UEFI firmware for ARM64 virtual machines",
"interface-types": [
"uefi"
],
"mapping": {
"device": "flash",
"executable": {
"filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw",
"format": "raw"
},
"nvram-template": {
"filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",
"format": "raw"
}
},
"targets": [
{
"architecture": "aarch64",
"machines": [
"virt-*"
]
}
],
"features": [
],
"tags": [
]}
继续步骤
启动服务
[root@compute ~]# systemctl enable --now libvirtd.service openstack-nova-compute.service
Controller节点
然后回到 Controller 节点,添加计算节点到 OpenStack 集群
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
确认 nova-compute 服务已识别到数据库中
[root@controller ~]# openstack compute service list --service nova-compute
发现计算节点,将计算节点添加到cell数据库
[root@controller ~]# su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova
然后验证一下
首先列出服务组件,验证每个流程都成功启动和注册
[root@controller ~]# openstack compute service list
然后列出身份服务中的API端点,验证身份服务的连接
[root@controller ~]# openstack catalog list
之后列出镜像服务中的镜像,验证与镜像服务的连接
[root@controller ~]# openstack image list
最后验证一下 cells 是否运作成功,以及其他必要条件是否已具备
[root@controller ~]# nova-status upgrade check
2.5 Neutron
Neutron 是 OpenStack 中的网络服务组件,负责为 OpenStack 环境提供网络连接和 IP 地址管理
它允许用户创建和管理虚拟网络、子网、路由器、安全组等网络资源,从而为虚拟机(VM)提供网络功能
Controller节点
首先创建 keystone 数据库并授权
[root@controller ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 61
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE neutron;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> exit
Bye
设置环境变量
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# env | grep OS_
创建用户和服务
[root@controller ~]# openstack user create --domain default --password-prompt neutron
User Password:000000
Repeat User Password:000000
[root@controller ~]# openstack role add --project service --user neutron admin
[root@controller ~]# openstack service create --name neutron --description "OpenStack Networking" network
部署Neutron API服务
[root@controller ~]# openstack endpoint create --region RegionOne network public http://controller:9696
[root@controller ~]# openstack endpoint create --region RegionOne network internal http://controller:9696
[root@controller ~]# openstack endpoint create --region RegionOne network admin http://controller:9696
之后安装软件包
[root@controller ~]# dnf install -y openstack-neutron openstack-neutron-linuxbridge ebtables ipset openstack-neutron-ml2 -y
配置Neutron
[root@controller ~]# vi /etc/neutron/neutron.conf
[database]
connection = mysql+pymysql://neutron:000000@controller/neutron
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = true
transport_url = rabbit://openstack:000000@controller
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = neutron
password = 000000
[nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = nova
password = 000000
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
配置ML2,ML2,具体配置可以根据需求自行修改,这里使用的是provider network + linuxbridge**
修改/etc/neutron/plugins/ml2/ml2_conf.ini(直接添加)
[root@controller ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = true
修改/etc/neutron/plugins/ml2/linuxbridge_agent.ini(直接添加)
[root@controller ~]# vi /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = provider:ens33
[vxlan]
enable_vxlan = true
local_ip = 192.168.184.110
l2_population = true
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
配置Layer-3代理
修改 /etc/neutron/l3_agent.ini
[root@controller ~]# vi /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
配置DHCP代理 修改 /etc/neutron/dhcp_agent.ini
[root@controller ~]# vi /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
配置metadata代理
修改 /etc/neutron/metadata_agent.ini
[root@controller ~]# vi /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_host = controller
metadata_proxy_shared_secret = METADATA_SECRET
配置nova服务使用neutron,修改 /etc/nova/nova.conf
[root@controller ~]# vi /etc/nova/nova.conf
[neutron]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = 000000
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET
创建 /etc/neutron/plugin.ini的符号链接
[root@controller ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
然后同步数据库
[root@controller ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
然后重启nova api服务
[root@controller ~]# systemctl restart openstack-nova-api
最后启动网络服务
[root@controller ~]# systemctl enable --now neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service
Compute节点
首先安装软件包
[root@compute ~]# dnf install openstack-neutron-linuxbridge ebtables ipset -y
然后配置Neutron
修改 /etc/neutron/neutron.conf
[root@compute ~]# vi /etc/neutron/neutron.conf
[DEFAULT]
transport_url = rabbit://openstack:000000@controller
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = neutron
password = 000000
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
修改 /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[root@compute ~]# vi /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = provider:ens33
[vxlan]
enable_vxlan = true
local_ip = 192.168.184.111
l2_population = true
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
配置nova compute服务使用neutron,修改 /etc/nova/nova.conf
[root@compute ~]# vi /etc/nova/nova.conf
[neutron]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = 000000
然后重启nova-compute服务
[root@compute ~]# systemctl restart openstack-nova-compute.service
最后启动服务
[root@compute ~]# systemctl enable --now neutron-linuxbridge-agent
[root@compute ~]# systemctl status neutron-linuxbridge-agent
2.6 Cinder
Cinder 是 OpenStack 项目中的一个核心组件,负责块存储(Block Storage)服务。
它是 OpenStack 的存储服务模块,允许用户创建和管理持久化的块存储卷(volumes),这些卷可以附加到虚拟机(VMs)上,作为虚拟机的存储设备
Controller节点
首先创建cinder数据库
[root@controller ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 155
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE cinder;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> exit
Bye
初始化Keystone资源对象
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# openstack user create --domain default --password-prompt cinder
User Password:000000
Repeat User Password:000000
[root@controller ~]# openstack role add --project service --user cinder admin
[root@controller ~]# openstack service create --name cinderv3 --description "OpenStack Block Storage" volumev3
[root@controller ~]# openstack endpoint create --region RegionOne volumev3 public http://controller:8776/v3/%\(project_id\)s
[root@controller ~]# openstack endpoint create --region RegionOne volumev3 internal http://controller:8776/v3/%\(project_id\)s
然后安装软件包
[root@controller ~]# dnf install openstack-cinder-api openstack-cinder-scheduler -y
修改cinder配置文件 /etc/cinder/cinder.conf
[root@controller ~]# vi /etc/cinder/cinder.conf
[DEFAULT]
transport_url = rabbit://openstack:000000@controller
auth_strategy = keystone
my_ip = 192.168.184.110
[database]
connection = mysql+pymysql://cinder:000000@controller/cinder
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = cinder
password = 000000
[oslo_concurrency]
lock_path = /var/lib/cinder/tmp
数据库同步
[root@controller ~]# su -s /bin/sh -c "cinder-manage db sync" cinder
修改nova配置 /etc/nova/nova.conf
[root@controller ~]# vi /etc/nova/nova.conf
[cinder]
os_region_name = RegionOne
启动服务
[root@controller ~]# systemctl restart openstack-nova-api
[root@controller ~]# systemctl enable --now openstack-cinder-api openstack-cinder-scheduler
[root@controller ~]# systemctl status openstack-cinder-api openstack-cinder-scheduler
Storage节点
Storage节点要提前准备至少一块硬盘,作为cinder的存储后端
下文默认storage节点已经存在一块未使用的硬盘,设备名称为 /dev/sdb
首先来安装软件包
[root@storage ~]# dnf install lvm2 device-mapper-persistent-data scsi-target-utils rpcbind nfs-utils openstack-cinder-volume openstack-cinder-backup -y
然后配置lvm卷组
[root@storage ~]# pvcreate /dev/sdb
[root@storage ~]# vgcreate cinder-volumes /dev/sdb
修改cinder配置 /etc/cinder/cinder.conf
[root@storage ~]# vi /etc/cinder/cinder.conf
[DEFAULT]
transport_url = rabbit://openstack:000000@controller
auth_strategy = keystone
my_ip = 192.168.184.112
enabled_backends = lvm
glance_api_servers = http://controller:9292
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = cinder
password = 000000
[database]
connection = mysql+pymysql://cinder:000000@controller/cinder
[lvm]
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
volume_group = cinder-volumes
target_protocol = iscsi
target_helper = lioadm
[oslo_concurrency]
lock_path = /var/lib/cinder/tmp
然后启动服务
[root@storage ~]# systemctl start openstack-cinder-volume target
[root@storage ~]# systemctl start openstack-cinder-backup
然后我们回到 Controller 节点验证一下是否正确
[root@controller ~]# source ~/.admin-openrc
[root@controller ~]# openstack volume service list
创建一个卷来验证配置是否正确
[root@controller ~]# openstack volume create --size 1 test-volume
[root@controller ~]# openstack volume list
2.7 Horizon
Horizon是OpenStack提供的前端页面,可以让用户通过网页鼠标的操作来控制OpenStack集群,而不用繁琐的CLI命令行。Horizon一般部署在控制节点。
在 Controller 节点进行操作
首先来安装软件包
[root@controller ~]# dnf install openstack-dashboard -y
然后修改配置文件 /etc/openstack-dashboard/local_settings
[root@controller ~]# vi /etc/openstack-dashboard/local_settings
OPENSTACK_HOST = "controller"
ALLOWED_HOSTS = ['*', ]
OPENSTACK_KEYSTONE_URL = "http://controller:5000/v3"
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'controller:11211',
}
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"
WEBROOT = '/dashboard'
POLICY_FILES_PATH = "/etc/openstack-dashboard"
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 3,
}
然后重启服务
[root@controller ~]# systemctl restart httpd
至此,Horizon服务的部署已全部完成,打开浏览器,输入http://192.168.184.110/dashboard,打开horizon登录页面。
点击“登入”按钮登陆 Dashboard 操作界面
功能验证
- 账户管理模块
在Dashboard操作界面中单击“身份管理→用户”,单击右上角的“创建用户”按钮,进入创建用户界面,在输入对应参数之后,单击“创建用户”按钮,创建用户
返回主界面,在Dashboard操作界面的用户列表中可以查看到创建成功的用户
使用远程工具连接controller节点,可以查看到创建的用户列表
[root@controller ~]# openstack user list | grep GCX
可以使用openstack user show命令,查询openstack-test用户详细信息
[root@controller ~]# openstack user show GCX
- 镜像模块
在Dashboard操作界面中单击“管理员→计算→镜像→创建镜像”,进入镜像创建界面,在创建镜像界面中,可以自定义镜像名称,并且添加本地镜像文件(cirros-0.3.4-x86_64-disk.img)
在设置镜像格式为QCOW2后,可以根据其他相应要求进行配置,最后单击“创建镜像”按钮来完成镜像的创建。
- 网络模块
在Dashboard操作界面中单击“网络”,根据要求创建相应的网络“testnet”
下拉框选择项目“admin”,勾选“共享的”以及“外部网络”选项,使云主机能够连通外网
然后单击“下一步”按钮,进入创建子网界面,填写子网名称testsubnet,网络地址192.168.184.115/24,网关IP为192.168.184.2
然后单击“下一步”按钮,进入最后的确认界面,单击“创建网络”按钮
- 云主机模块
为了顺利创建实例,还需要提前创建实例类型。
在Dashboard操作界面中单击“管理员→计算→实例类型”,然后单击“创建实例类型”按钮,在弹出的窗口输入相应的属性参数,名称为“test”,vCPU数量1,内存512M,根磁盘1GB
最后单击右下方“创建实例类型”按钮即可完成创建
在以上几个模块都完成之后,就可以创建实例来使用。如果缺少了上述任何一个操作,都可能使实例创建失败
在Dashboard操作界面中单击“项目→计算→实例”按钮,单击右方“创建实例”按钮,进入创建实例界面,输入实例名称“test-instance”
接下来依次选择上述模块创建的 “源*” “实例类型*” “网络”,单击“创建实例”按钮,完成实例的创建
创建完成后,等待片刻,即可在云主机列表中看到云主机 “test-instance” 正在运行中
选择当前实例 “Actions” 下拉列表中的 “控制台” 选项,进入云主机控制台界面,按照提示输入正确的登录名及密码,即可成功登录云主机
