OpenStack Icehouse私有云实战部署（一）

前言

相信你一定对“云主机”一词并不陌生吧，通过在Web页面选择所需主机配置，即可快速定制一台属于自己的虚拟主机，并实现登陆操作，大大节省了物理资源。但这一过程是如何实现的呢？本文带来OpenStack Icehouse私有云实战部署。

OpenStack

简介

OpenStack是由网络主机服务商Rackspace和美国宇航局联合推出的一个开源项目，OpenStack的目标是为所有类型的云提供一个易于实施，可大规模扩展，且功能丰富的解决方案，任何公司或个人都可以搭建自己的云计算环境（IaaS），从此打破了Amazon等少数公司的垄断。

架构

工作流程

OpenStack部署

实验环境

实验拓扑

#各节点时间已同步

#各节点已禁用NetworkManager服务

#各节点已清空防火墙规则，并保存

#各节点已基于hosts实现主机名通信

[root@controller ~]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.10.123 controller.scholar.com controller

192.168.10.124 compute.scholar.com compute

192.168.10.125 network.scholar.com network

192.168.10.126 block.scholar.com block

#Network Node用于外部网络的接口不能用IP地址，建议使用类似如下配置

#INTERFACE_NAME为实际的网络接口名，例如eth1：

DEVICE=INTERFACE_NAME

TYPE=Ethernet

ONBOOT=yes

BOOTPROTO=none

路由配置

Block Storage Node还同时提供路由功能，首先来配置一下路由

[root@bolck ~]# vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

[root@bolck ~]# sysctl -p

[root@bolck ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.10.126

[root@bolck ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

安装配置Keystone

安装Keystone

openstac yum源安装

[root@controller ~]# wget http://rdo.fedorapeople.org/openstack-icehouse/rdo-release-icehouse.rpm

[root@controller ~]# rpm -ivh rdo-release-icehouse.rpm

安装并初始化MySQL服务器

[root@controller ~]# yum install mariadb-galera-server -y

[root@controller ~]# vim /etc/my.cnf

[mysqld]

...

datadir=/mydata/data

default-storage-engine = innodb

innodb_file_per_table = ON

collation-server = utf8_general_ci

init-connect = 'SET NAMES utf8'

character-set-server = utf8

skip_name_resolve = ON

[root@controller ~]# mkdir /mydata/data -p

[root@controller ~]# chown -R mysql.mysql /mydata/

[root@controller ~]# mysql_install_db --datadir=/mydata/data/ --user=mysql

[root@controller ~]# service mysqld start

Starting mysqld: [ OK ]

[root@controller ~]# chkconfig mysqld on

[root@controller ~]# mysql_secure_installation

安装配置Identity 服务

[root@controller ~]# yum install openstack-utils openstack-keystone python-keystoneclient -y

#创建 keystone数据库，其默认会创建一个keystone用户以访问此同名数据库，密码可以使用--pass指定

[root@controller ~]# openstack-db --init --service keystone --pass keystone

Please enter the password for the 'root' MySQL user:

Verified connectivity to MySQL.

Creating 'keystone' database.

Initializing the keystone database, please wait...

Complete!

编辑keystone主配置文件，使得其使用MySQL做为数据存储池

[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf \

> database connection mysql://keystone:keystone@controller/keystone

配置token

[root@controller ~]# export ADMIN_TOKEN=$(openssl rand -hex 10)

[root@controller ~]# export OS_SERVICE_TOKEN=$ADMIN_TOKEN

[root@controller ~]# export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

[root@controller ~]# echo $ADMIN_TOKEN > ~/openstack_admin_token

[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN

设定openstack用到的证书服务

[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

[root@controller ~]# chown -R keystone.keystone /etc/keystone/ssl

[root@controller ~]# chmod -R o-rwx /etc/keystone/ssl

启动服务

[root@controller ~]# service openstack-keystone start

Starting keystone: [ OK ]

[root@controller ~]# chkconfig openstack-keystone on

[root@controller ~]# ss -tnlp | grep keystone-all

LISTEN 0 128 *:35357 *:* users:(("keystone-all",7063,4))

LISTEN 0 128 *:5000 *:* users:(("keystone-all",7063,6))

创建tenant、角色和用户

#创建admin用户

[root@controller ~]# keystone user-create --name=admin --pass=admin --email=admin@scholar.com

#创建admin角色

[root@controller ~]# keystone role-create --name=admin

#创建admin tenant

[root@controller ~]# keystone tenant-create --name=admin --description="Admin Tenant"

#关联用户、角色及tenant

[root@controller ~]# keystone user-role-add --user=admin --tenant=admin --role=admin

[root@controller ~]# keystone user-role-add --user=admin --role=_member_ --tenant=admin

#创建普通用户（非必须）

[root@controller ~]# keystone user-create --name=demo --pass=demo --email=demo@scholar.com

[root@controller ~]# keystone tenant-create --name=demo --description="Demo Tenant"

[root@controller ~]# keystone user-role-add --user=demo --role=_member_ --tenant=demo

#创建一个服务tenant以备后用

[root@controller ~]# keystone tenant-create --name=service --description="Service Tenant"

设定Keystone为API endpoint

[root@controller ~]# keystone service-create --name=keystone --type=identity \

> --description="OpenStack Identity"

#为上面新建的service添加endpoint

[root@controller ~]# keystone endpoint-create \

> --service-id=$(keystone service-list | awk '/ identity / {print $2}') \

> --publicurl=http://controller:5000/v2.0 \

> --internalurl=http://controller:5000/v2.0 \

> --adminurl=http://controller:35357/v2.0

启用基于用户名认证

[root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

[root@controller ~]# vim ~/admin-openrc.sh

export OS_USERNAME=admin

export OS_TENANT_NAME=admin

export OS_PASSWORD=admin

export OS_AUTH_URL=http://controller:35357/v2.0/

[root@controller ~]# . admin-openrc.sh

#验正新认证机制是否生效

[root@controller ~]# keystone user-list