*本文介绍系统初始化、keystone、glance的安装配置过程
OpenStack交流群:322596568
主机分配:
主机名 IP(Static) 系统 配置 角色
openstack 192.168.20.200 CentOS-6.4-x86_64-minimal 4CPU,16G,300G,2网卡 管理节点/计算节点
node01 192.168.20.201 CentOS-6.4-x86_64-minimal 4CPU,16G,300G,2网卡 计算节点
初始化配置:
(1).配置/etc/hosts文件
[root@openstack ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.21 openstack
192.168.10.22 node01
(2).配置网络
[root@openstack ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.20.200
NETMASK=255.255.255.0
GATEWAY=192.168.20.2
[root@openstack ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
(3).关闭selinux:
[root@openstack ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
[root@openstack ~]# setenforce 0
(4).修改/etc/sysctl.conf参数:
[root@openstack ~]# vi /etc/sysctl.conf
……………………
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
……………………
[root@openstack ~]#sysctl -p #使sysctl.conf配置生效
(5).关闭多余的服务(可选):
#!/bin/bash
SERVICE_SUM="auditd blk-availability iscsi iscsid lvm2-monitor mdmonitor multipathd netconsole postfix rdisc restorecond saslauthd"
echo $SERVICE_SUM | xargs -n1 | while read SERVICE
do
chkconfig $SERVICE off
service $SERVICE stop
done
(6).导入第三方安装源:
[root@openstack ~]# yum -y install http://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-3.noarch.rpm
[root@openstack ~]# yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
(7).更新kernel:
[root@openstack ~]# yum -y install kernel-2.6.32-358.123.2.openstack*
(8).安装OpenStack工具包:
[root@openstack ~]# yum -y install openstack-utils openstack-selinux
(9).重启:
[root@openstack ~]# reboot
2.安装配置NTP服务
(1).安装NTP服务:
[root@openstack ~]# yum -y install ntp
(2).配置NTP服务:
[root@openstack ~]# vi /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict default ignore
restrict 127.0.0.1
restrict 192.168.10.0 mask 255.255.255.0 nomodify notrap
server ntp.api.bz
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
keys /etc/ntp/keys
(3).启动NTP服务,设置开机自启动:
[root@openstack ~]# service ntpd start
[root@openstack ~]# chkconfig ntpd on
3.配置安装MySQL:
(1).安装MySQL服务:
[root@openstack ~]# yum -y install mysql mysql-server MySQL-python
(yum install mysql MySQL-python in node)
(2).修改MySQL配置文件:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
bind-address = 0.0.0.0 #设置监听IP地址0.0.0.0
default-storage-engine = innodb
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
(3).启动MqSQL服务,设置开机自启动:
[root@openstack ~]# service mysqld start
[root@openstack ~]# chkconfig mysqld on
(4).修改MySQL密码为passwd:
[root@openstack ~]# mysqladmin -uroot password 'passwd'; history -c
4.安装配置qpid服务
(1).安装qpid服务:
[root@openstack ~]# yum -y install qpid-cpp-server memcached
(2).修改/etc/qpidd.conf配置文件,将auth设置为no:
[root@openstack ~]# vi /etc/qpidd.conf
……………………
auth=no
(3).启动qpid服务,设置开机启动:
[root@openstack ~]# service qpidd start
[root@openstack ~]# chkconfig qpidd on
5.安装配置KeyStone
(1).安装KeyStone服务:
[root@openstack ~]# yum -y install openstack-keystone python-keystoneclient
(2).创建keystone数据库,修改配置文件中的数据库链接:
[root@openstack ~]# openstack-db --init --service keystone --rootpw passwd
(3).修改配置文件中的数据库链接:
[root@openstack ~]# openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:keystone@localhost/keystone
(4).使用openssl随即生成一个令牌,将其存储在配置文件中:
[root@openstack ~]# export SERVICE_TOKEN=$(openssl rand -hex 10) //随机生成SERVICE_TOKEN值,请牢记
[root@openstack ~]# export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
[root@openstack ~]# mkdir /root/config
[root@openstack ~]# echo $SERVICE_TOKEN > /root/config/ks_admin_token.txt
[root@openstack ~]# cat /root/config/ks_admin_token.txt
12dd70ede7c9d9d3ed3c
[root@openstack ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $SERVICE_TOKEN
*注:将生成的SERVICE_TOKEN值写入文件中保存,以备后续使用,后面涉及到的SERVICE_TOKEN值都是在ks_admin_token.txt文件中获取的。所以一旦写入文件,不要再次运行命令生成SERVICE_TOKEN,否则前后不一致会为调试带来麻烦。
(5).默认情况下keysonte使用PKI令牌。创建签名密钥和证书:
[root@openstack ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
[root@openstack ~]# chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
(6).启动keystone服务,设置开机自启动:
[root@openstack ~]# service openstack-keystone start
[root@openstack ~]# chkconfig openstack-keystone on
[root@openstack ~]# (crontab -l 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/root
5.2.定义Users、Tenants and Roles
(1).修改.bash_profile文件,添加以下参数:
[root@openstack ~]# vi .bash_profile
………………
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
export SERVICE_TOKEN=12dd70ede7c9d9d3ed3c
………………
执行下面的命令使变量即时生效:
[root@openstack ~]# source .bash_profile
(2).创建一个管理员用户admin:
[root@openstack ~]# keystone user-create --name=admin --pass=password --email=keystone@chensh.net
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | keystone@chensh.net |
| enabled | True |
| id | 16df18d2617943ea8b0cfce39e7e6541 |
| name | admin |
| username | admin |
+----------+----------------------------------+
(3).创建一个管理员角色admin:
[root@openstack ~]# keystone role-create --name=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 90ef9ebcdcbc47178cf959911ce0569e |
| name | admin |
+----------+----------------------------------+
(4).为管理员用户创建一个tenant:
[root@openstack ~]# keystone tenant-create --name=admin --description='Admin Tenant'
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 4af98cdce9ea449b90c8dfec454b2b9f |
| name | admin |
+-------------+----------------------------------+
(5).将角色添加到用户:
Link the admin user, admin role, and admin tenant together using the user-role-add option:
[root@openstack ~]# keystone user-role-add --user=admin --tenant=admin --role=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Link the admin user, _member_ role, and admin tenant:
[root@openstack ~]# keystone user-role-add --user=admin --role=_member_ --tenant=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
(6).创建一个Service tenant:
[root@openstack ~]# keystone tenant-create --name=service --description='Service Tenant'
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 7202578800e245808231cdfc07d26100 |
| name | service |
+-------------+----------------------------------+
5.3.定义Services 和 API Endpoints
(1).为KeyStone创建一个服务:
[root@openstack ~]# keystone service-create --name=keystone --type=identity --description="KeystoneIdentity Service"
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | KeystoneIdentity Service |
| enabled | True |
| id | 05224edaf29c4fa9a1d600749edc46b9 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
(2).使用服务ID创建一个endpoint:
[root@openstack ~]# vi /root/config/keystone.sh
#!/bin/bash
my_ip=0.0.0.0
service=$(keystone service-list | awk '/keystone/ {print $2}')
keystone endpoint-create --service-id=$service --publicurl=http://$my_ip:5000/v2.0 --internalurl=http://$my_ip:5000/v2.0 --adminurl=http://$my_ip:35357/v2.0
[root@openstack ~]# sh /root/config/keystone.sh
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://0.0.0.0:35357/v2.0 |
| id | c356f86d4c1c4be89274f23f86ed4d1e |
| internalurl | http://0.0.0.0:5000/v2.0 |
| publicurl | http://0.0.0.0:5000/v2.0 |
| region | regionOne |
| service_id | 05224edaf29c4fa9a1d600749edc46b9 |
+-------------+----------------------------------+
[root@openstack ~]# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-------+---------+---------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+---------------------+
| 16df18d2617943ea8b0cfce39e7e6541 | admin | True | keystone@chensh.net |
+----------------------------------+-------+---------+---------------------+
[root@openstack ~]# keystone user-role-list --user admin --tenant admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 16df18d2617943ea8b0cfce39e7e6541 | 4af98cdce9ea449b90c8dfec454b2b9f |
| 90ef9ebcdcbc47178cf959911ce0569e | admin | 16df18d2617943ea8b0cfce39e7e6541 | 4af98cdce9ea449b90c8dfec454b2b9f |
+----------------------------------+----------+----------------------------------+----------------------------------+
6.安装配置Glance
6.1.初始化Glance
(1).安装Glance服务:
[root@openstack ~]# yum -y install openstack-glance
(2).创建Glance数据库:
[root@openstack ~]# openstack-db --init --service glance --rootpw passwd
(3).修改配置文件中的数据库链接:
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT sql_connection mysql://glance:glance@localhost/glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf DEFAULT sql_connection mysql://glance:glance@localhost/glance
6.2.创建User,定义Services 和 API Endpoints
(1).为Glance服务创建一个glance用户:
[root@openstack ~]# keystone user-create --name=glance --pass=service --email=glance@chensh.net
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | glance@chensh.net |
| enabled | True |
| id | e52a0f54a49346c485e68558d2c3f1fb |
| name | glance |
| username | glance |
+----------+----------------------------------+
[root@openstack ~]# keystone user-role-add --user=glance --tenant=service --role=admin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
(2).为glance创建一个服务:
[root@openstack ~]# keystone service-create --name=glance --type=image --description="Glance ImageService"
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Glance ImageService |
| enabled | True |
| id | 28fe6663aa404a0b8686c759de618240 |
| name | glance |
| type | image |
+-------------+----------------------------------+
(3).使用服务ID创建一个endpoint:
[root@openstack ~]# vi /root/config/glance.sh
#!/bin/bash
my_ip=0.0.0.0
service=$(keystone service-list | awk '/glance/ {print $2}')
keystone endpoint-create --service-id=$service --publicurl=http://$my_ip:9292 --internalurl=http://$my_ip:9292 --adminurl=http://$my_ip:9292
[root@openstack ~]# sh /root/config/glance.sh
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://0.0.0.0:9292 |
| id | 72aa5379814c495fb679504358443457 |
| internalurl | http://0.0.0.0:9292 |
| publicurl | http://0.0.0.0:9292 |
| region | regionOne |
| service_id | 28fe6663aa404a0b8686c759de618240 |
+-------------+----------------------------------+
6.3.配置Glance服务
[root@openstack ~]# cp -av /etc/glance/glance-api.conf /etc/glance/glance-api.conf_bak
[root@openstack ~]# cp -av /etc/glance/glance-registry.conf /etc/glance/glance-registry.conf_bak
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT rpc_backend qpid
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT qpid_hostname $HOSTNAME(1).将keystone认证信息添加到glance配置文件中:
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_uri http://0.0.0.0:5000
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_port 35357
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_protocol http
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_password service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_uri http://0.0.0.0:5000
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_port 35357
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_protocol http
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_password service
(2).修改ini文件路径,将keystone认证信息添加到ini文件中:
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf paste_deploy config_file /etc/glance/glance-api-paste.ini
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf paste_deploy config_file /etc/glance/glance-registry-paste.ini
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystone
[root@openstack ~]# cp /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini
[root@openstack ~]# cp /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini
[root@openstack ~]# chown -R root:glance /etc/glance/glance-api-paste.ini
[root@openstack ~]# chown -R root:glance /etc/glance/glance-registry-paste.ini
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_password service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken auth_host 127.0.0.1
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_tenant_name service
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_user glance
[root@openstack ~]# openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_password service
(3).修改镜像文件的存放路径(默认存放在/var/lib/glance目录下,若不需修改,此步骤可省略)
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT filesystem_store_datadir /openstack/glance/images/
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT scrubber_datadir /openstack/glance/scrubber
[root@openstack ~]# openstack-config --set /etc/glance/glance-api.conf DEFAULT image_cache_dir /openstack/glance/image-cache/
[root@openstack ~]# mkdir /openstack
[root@openstack ~]# cp -a /var/lib/glance/ /openstack/
[root@openstack ~]# chown -R glance:glance /openstack/glance/
(4).启动glance服务,设置开机自启动
[root@openstack ~]# service openstack-glance-api start
[root@openstack ~]# service openstack-glance-registry start
[root@openstack ~]# chkconfig openstack-glance-api on
[root@openstack ~]# chkconfig openstack-glance-registry on
6.4.Glance测试
(1).上传镜像
[root@openstack ~]# glance image-create --name=centos6.4_20G --disk-format=qcow2 --container-format=ovf --is-public=true < /root/centos6.4-mini_x64.qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 4b16b4bcfd7f4fe7f0f2fdf8919048b4 |
| container_format | ovf |
| created_at | 2014-03-31T06:26:26 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 45456157-9b46-4e40-8ee3-fbb2e40f227b |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | centos6.4_20G |
| owner | 446893f3733b4294a7080f3b0bf1ba61 |
| protected | False |
| size | 698023936 |
| status | active |
| updated_at | 2014-03-31T06:26:30 |
+------------------+--------------------------------------+
(2).查看镜像
[root@openstack ~]# glance image-list
+--------------------------------------+---------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------+-------------+------------------+-----------+--------+
| 45456157-9b46-4e40-8ee3-fbb2e40f227b | centos6.4_20G | qcow2 | ovf | 698023936 | active |
+--------------------------------------+---------------+-------------+------------------+-----------+--------+
CentOS6.4安装OpenStack Icehouse controller(二)