CentOS6.5+OpenStack+kvm云平台部署

1、Cen tOS6.5+Ope nStack+kvm云平台部署Havana(Nova-Network 版)注意：(以下的截图仅提供参考，参数不一定跟文档相同，矩形框起来的技术点可以忽略)一主机分配：主机名IP( Static)系统配置角色ope nstackCen tOS-6.5-x86_64-mi nimal4CPU,16G RAM,300GDISK,2网卡管理节点/计算节点n odeCe ntOS-6.5-x86_64-mi nimal4CPU,16G RAM,300G DISK,2网卡计算节点二、管理节点安装(OpenStack)1.基础配置操作

2、系统使用 CentOS-6.5-x86_64-minimal.iso，安装过程省略，本文采用yum源安装。(1) .导入第三方安装源rootope nstack # rpm -Uvh http:/dl.fedoraproject.Org/pub/epel/6/x86_64/epel-release-6-8. no arch.rpmrootope nstack # rpm -Uvh http:/pkgs.repoforge.Org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpmrootope nstack # yum in

3、stall/repos/ope nstack/ope nstack-hava na/rdo-release-hava na-7.no arch.rpm(2) .配置 /etc/hosts 文件rootope nstack # vi /etc/hosts localhost localhost.localdoma in Iocalhost4 localhost 4.lo caldoma in4:1localhost localhost.localdoma in Iocalhost6 localhost6 .lo caldo

4、ma in6 ope nstack n ode(3) .配置网络rootope nstack # vi /etc/sysc on fig/network-scripts/ifcfg-eth0DEVICE="eth0"BOOTPROTO="static"HWADDR="E4:1F:13:45:AB:C8"ONBOOT="yes"IPADDR=NETMASK=GATEWAY=TYPE="Ether

5、net"rootopenstack # vi /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE="eth1"BOOTPROTO="none" HWADDR="E4:1F:13:45:AB:CA"ONBOOT="yes" TYPE="Ethernet"(4) . 关闭 selinux ：rootopenstack # more /etc/selinux/config# This file controls the state of SELi

6、nux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.#permissive - SELinux prints warnings instead of enforcing.#disabled - SELinux is fully disabled.SELINUX=disabled# SELINUXTYPE= type of policy in use. Possible values are:#targeted - Onl

7、y targeted network daemons are protected.#strict - Full SELinux protection.SELINUXTYPE=targeted rootopenstack # setenforce 0(5) .修改 /etc/sysctl.conf 参数： rootopenstack # vi /etc/sysctl.conf net.ipv4.ip_forward = 1 rootopenstack #sysctl -p # 使 sysctl.conf 配置生效2. 安装配置 NTP 服务(1) . 安装 NTP 服务： rootopensta

8、ck # yum -y install ntp(2) . 配置 NTP 服务：rootopenstack # vi /etc/ntp.conf driftfile /var/lib/ntp/drift restrict default ignore restrict restrict mask nomodify notrapserver ntp.api.bzserver # local clock fudge stratum 10 keys /etc/ntp/keys(3) .

9、启动 NTP 服务 ,设置开机自启动： rootopenstack # service ntpd start rootopenstack # chkconfig ntpd on3. 配置安装MySQL :(1) .安装MySQL服务：rootope nstack # yum -y in stall mysql mysql-server MySQL-pytho n(2) .修改MySQL配置文件：# vi /etc/my.c nfmysqlddatadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sockuser=mysql# Disabli ng s

10、ymbolic-l inks is recomme nded to preve nt assorted security risks symbolic-li nks=0bind-address = #设置监听 IP 地址 mysqld_safelog-error=/var/log/mysqld .logpid-file=/var/r un/mysqld/mysqld.pid(3) .启动MqSQL服务，设置开机自启动：rootope nstack # service mysqld startrootopenstack # chkconfig mysqld on(4)

11、 .修改 MySQL 密码为 passwd :rootope nstack # mysqladm in -uroot password 'passwd' history -c4. 安装配置qpid服务(1) .安装qpid服务：rootope nstack # yum -y in stall qpid-cpp-server memcached(2) .修改/etc/qpidd.conf配置文件，将auth设置为no :rootope nstack # vi/etc/qpidd.c onf auth=no(3) .启动qpid服务，设置开机启动：rootope nstack #

12、service qpidd startrootope nstack # chkc onfig qpidd on(4) .安装OpenStack 工具包：rootope nstack # yum in stall -y ope nstack-utils5. 安装配置KeyStone5.1.初始化 KeyStone :(1) .安装 KeyStone 服务：rootope nstack # yum -y in stall ope nstack-keyst oneInstalling : python-oaLith2-l. 5* 211-S. el 6 moarch5/7Installing : p

13、ython-keystone-2013.2.3-3.el6.noarch6/7Instal1ing:openstack keystone 2013*2*3 3.e'6» noarch7/IVerifyi ng:python-oauth2-L.5,211-5 * el 6 uioarch1/7verifying:pyxhon-dogpile-cache-0,5.0-1,el6*noarch2/7Verifyi ng:PyP-0.5,0-12. el&. x80_C43/7Verifying:卩ython-passl5b-1.5.3-1 elfi.march4/7Veri

14、fyi ng:python-keys丈。口色-20门-2 W .电16.门grch5/7Verifyi ng:python-dogpile-cora 0* >1 * 1-1.cl6, noarch6/7Verifyi ng:openstack-keystene-2013* 2* 3-3*6,noarch7/7Installed:npnstack-keystone.noarch 0:2013.2.3-3*Dependency Instai 1 cd:PyPAM.x86_&4 0:0.5.0-1Z.tl 6 python-dogplle-cache.noarch 0:0,5.0-1.

15、elfi python-dogplle-core.noarch 0:0.4.1-1,elb python-keystone.nnarch 0:2013.2-3-3-elfi python-oauth2.noarch 0:1.5.211-5 _e!6 python pass!ib.noarch D:1* 5.3 1.el6complerelroot&ag 1#(2) .创建keystone数据库，修改配置文件中的数据库链接: rootope nstack # ope nstack-db -i nit -service keyst onerooting # openstack-db -1n

16、it -service keystone Please enter The password for the 'root' MySQL user: Ver 1 fi ed connecti vi ty to MySQL .Creatlng r keys tone1 database*Initializing the keystone database, please wait Complete!rootag # f(3) .修改配置文件中的数据库链接：rootope nstack # ope nstack-c onfig -set /etc/keyst on e/keyst o

17、n e.c onf sql conn ecti on mysql:/keyst on e:keyst on elocalhost/keyst one(4) .使用openssl随即生成一个令牌，将其存储在配置文件中：rootope nstack # export SERVICE_TOKEN=$(ope nssl rand -hex 10)随机生成SERVICE_TOKEN 值，请牢记rootope nstack # export SERVICE_ENDPOINT=http:/127.O.O.1:35357/v2.Orootopenstack # mkdir /root/configrootop

18、e nstack # echo $SERVICE_TOKEN > /root/co nfig/admi n. txtrootope nstack # cat /root/c on fig/adm in.txt 9860f4302f7e344ca901rootopenstack # openstack-config -set /etc/keystone/keystone.conf DEFAULT admin_toke n $SERVICE_TOKEN*注：将生成的SERVICE_TOKEN 值写入文件中保存，以备后续使用，后面涉及到的 SERVICE_TOKEN 值都是在admin.txt

19、文件中获取的。所以一旦写入文件，不要再次运行命令生成SERVICE_TOKEN ，否则前后不一致会为调试带来麻烦 。>oot(&ag >oot©ag rootl&agYoott&ag TootC&ag#export SERVICE_TOKEN=$Copenssl rand -hex 10)export SERVICE-ENDPOINThrtp:/:35357/v2.O mkdir /root/conf 1 gecho Islrvicl_iukln > /root/config/token.txt cat /root/

20、config/token,txr1"iX#290GOr3O2f7e344td9OlrootC&ag -# openstack-config -set /etc/keystone/keystone.confDEFAULT adrnin_token $兮匚RVIC匚_T0K匚HYou have new man 1 tn /var/spool/mai1/rootrootfflag # (5) .默认情况下keysonte 使用PKI令牌。创建签名密钥和证书：-! x|rootope nstack # keyst on e-ma nage pki_setup -keyst on e-

21、user keyst one -keyst on e-group keyst oneyg197.IBS.l.W龙件旧至端EWiVi :砥心倚附匪本S1TMtijIrootag # keystone-manage pki_setup keystone-user keystone-keystone-group keyston&2014-C5-09 21:12; 36.061 4018 IMFO keystone, common, oyer is si - op enss I qenrsa -out /etc/k已p亡m 2048Generating RSA private key, 204

22、8 hit 1ong modulus 4-+4-F+e is 65537 (0x10001520丄4-05-09 21:12:36.133 4018 IMFO mon.openssI l-1 req -new -x 509 -extensi ons v3_ca -ky /etc/keystone/ss rts/匚丑key“piri -out /etc/keystorre/ssl/certs/ca. pem -days 3650op / ce-COnfig /etc/keystone/ss1/certs/openssi.conF -subj /CUS/ST=Unset/L UnseT/ounse

23、t/CNiftWW. exampl e. com2014-05-09 21:12: J6.1!>3 4013 INFO keystone.cornmon. openss 1 I- op enss 1 genrsa -out /etc/keystone/ss "I/p r 1 vate/s i gni ngL_key. pem ?04fiGeneraLing RSA private keyT 2048 bit 1ong modulus +-P4-4+e ns 65537 (0x10001)2014-05-09 21:12:36-238 4018 INTO keys tone,co

24、mmon.opens s1 - op enss 1 req -key /etc/keystone/pri vate/& i gi 11 ng_key. pem 一new -out /etc/keystane/ssl/certs/r已q.p巳m -config /etc/keystone/ssi/cer ts/openssl.ronf -subj /C=US/ST=Unset/L =Unset/O=lMiset/CN=2014-05-09 21:12：36.244 4018 INFO keystone»common.openssi - op enssl ca -batch -o

25、ut /et+ -c onfiq /etc/keystone/ssl/匚erts/op巳nws1,co门f -days 3&50d 一匚ert /et c/keystone/ss 1 /rprts/ca.卩err -keyfi le /?tr/keystone/ssl /certs/rak ey»pem -i nfi 1 es /etc/keystor*巳/ssl/c亡rt百/亡q*peruUsing confHguration from /etc/key5tone/ss1/certs/openssl.conf check that the request matches t

26、he signatureSignature okThe Subject's Distinguisheri Mame n countryName stat亡OrP rovi nceName 1o匚al 1tyName organizationName comrrionNameCertificate is to650 days)bei s as fnl1ows:PRINTABLE：'US':ASN.l:ASN.l:ASN.lrASN.lcartificd unti1 May 6 11:12:36 2024 SfT (312:"Unset"12:T uns

27、etT12:* Unset'1 ? : " WWW. ifuripW* comWrite out database with L new entries Data Base UpdatedIroot&ag45, 1445f7,钢见vnoo大w 1$SD2 AE5-2&oCTRrootopenstack # chown -R keystone:keystone /etc/keystone/* /var/log/keysto ne/keysto ne.log(6) .启动keystone 服务，设置开机自启动：rootope nstack # service op

28、e nstack-keyst one startrootope nstack # chkc onfig ope nstack-keyst one on5.2. 定义 Users、Tenants and Roles(1) .修改.bash_profile文件，添加以下参数：rootope nstack # vi .bash_profileexport OS_USERNAME=adminexport OS_TENANT_NAME=admi nexport OS_PASSWORD=passwordexport OS_AUTH_URL=http:/127.O.O.1:5OOO/v2.Oexport S

29、ERVICE_ENDPOINT=http:/127.O.O.1:35357/v2.Oexport SERVICE_TOKEN= 9860f4302f7e344ca901# .bash_profile# Get the ali ases and functionsi f -f . bashrc ; th&n ” /.bashrc# User- spec i F i c ei iv i ruiimenL ai id s Lfir'tup prnog r ariibPAIHSPArH：jHUML/binexport PATHexport OS_USERNAME=adm-| nexpo

30、rt OS_TENANT_KAMEadminexport OS_PASSWORD=passwordexport OS-AUTHURL=http：/127 +0*0.1:5OOO/v2.0export SERVICE_ENDPOINT=http;/127.0.0+1:35357/v2.0export SEKVlE_TOKEN=98&0f4302f7e344ca901执行下面的命令使变量即时生效：rootope nstack # source .bash_profile(2) .为管理员用户创建一个tenant，为openstack 其他服务的用户创建一个tenant :rootope n

31、stack # keyst one tenan t-create -n ame=adm in -descripti on='Adm in Tenant'LrootGag keystone tenant-create -name=admin -descript1cn=' Admi ii Tenant1BypassSng authentn cation usi ng a token & endpoi nt (auth entication credent!als are being ignored).P roper tyVdlue1_ I11 _descriptio

32、nTrAdmnn TenantenabledT rueid7d01c6a51b584260b61c3da0e0319546nameadmi nroot&agrootope nstack # keyst one tenan t-create -n ame=service -descripti on='Service Tenant'r ootaq # keys tone tenant 一匚 reate -name=s er vi ce - -des ccm =1Servi ce Tenant'ValueWARNING; Bypass i ng au thent n

33、i on U5"i iig a tokei i & endpoi nt (耳uth enTi rati on r r prlerTTi al 帀巳 hei ri i gnored .Property+descriptionenabledidnameServi ce TenantTrue8551eeO8d6a44elb9Sd0Off9a3b4293ee erk/i ce(3) .创建一个管理员用户admin :rootope nstack # keyst one user-create -n ame=adm in -pass=password-email=keyst on er

34、oot&ag # keystone user-create -name=admin -pass-password - -ema-! 1 -keystoiie&chensh. netWARNING: Bypassinq authentncation uetnq a token & indpoint (auth enti 匸a_t:Tori credent! al s are ben ng i gnored),+Propert# |ValueII一-1eman 1Lkeys ton e(&chenshT netenabledT ruei d61197115b2214

35、al887e5alf6b9aaf483name：jadmi n卜+(4) .创建一个管理员角色admin :rootope nstack # keyst one role-create -n ame=adm inrootag # keystone ro e-create -nane=adminWARNING: Bypassing authentication using a token & endpoint Cauth entication credent!als are being ignored)Val ticI Property |idname+1.3948b8960a7h4pe

36、pRed8bRd05bf7Jer4adminYou have hew mai1 in /var/spool/mai1/root(5) .将角色添加到用户：rootope nstack # keyst one user-role-add -user=adm in -te nan t=adm in -role=adm inrootag # keystone U5er-role-add -user-admin -tmnant=admin -role=adminWARNING: Bypassing authentication using a token & endpoint (auth en

37、tication credenti al s 3cr& bei ng i gnoredJ ,t rootag #5.3. 定义 Services 禾口 API Endpoints(1) .为KeyStone 创建一个服务：rootope nstack # keyst one service-create -n ame=keyst one -type=ide ntity -descripti on="Keyst on eIde ntity Service"roottag # keys tone servi ce-c reate -name=keystone -type

38、=i den tity -aescri ption="Keystone丄d巳ntity Servi ce"WARNING: Bypass' ng authenti cati on usi ng a token & endpoi nt (auth enti cation credent!als are bei ng i qnored).4_l_4property |value|descri gti onKeystoneldenti ty Servi ceb91d044cd8el4efb9b0cc0ab75db532fnamekeystonetypeidenti

39、 ty(2) .使用服务ID创建一个endpoint :rootope nstack # vi /root/c on fig/keyst on e.sh#!/bi n/bash my_ip=service=$(keyst one service-list | awk '/keyst one/ pri nt $2')keyst one en dpo in t-create -service-id=$service -publicurl=http:/$my_ip:5000/v2.0 -i nternalurl=http:/$my_ip:5000/v2.0 -a

40、dmi nurl=http:/$my_ip:35357/v2.0#1 /bin/buhmy_i 3=servi匚总。门电 servi ce-11st |' / keystone/ pri nt J2')keystone endpoint-匚电出丄己 -service-id=$service -publicurl=htip: p: 50OD/v2.0i nterrialurl -http:/ $my_i p: 5OOO/v2. 0admi nurl=http:/Smy_ip:35357/v2.0rootope nstack # sh /root/con fi

41、g/keyst on e.shrrootfeg sh /root/config/keystone.shWARNING: Bypassing authenficati on using a token & endpoi nt (auth enti cation 匚redenti a 1s are bei ng ignored),44+Property |Vaiueadmiriurl id i nternal u rl publi curl region serun re d:35357/v2+O81b75d330484417ea98f9Gcb&7

42、dall04http:/192,16S.1.2:5000/v2.0http; /192 .2; 5Q0QC2.0regi onOneh91 d044cdSp14pff>9bCrr0ab75dh53?f+= n * 4= FNEe +rootag #安装配置Glanee6.1.初始化 Gia nee(1).安装Gia nee服务：rootope nstack # yum -y in stall ope nstack-gla nee(2).创建Gia nee数据库：rootope nstack # ope nstack-db -i nit -service gla nee11 19Z. ie

43、a_ 1_2O12£l换E音着制流项心桔歸叩哄勺9召唱紀思粵吕Jf $5 f Vq i/don2014 05-092014-05-09 -> 20 2014-05-092014-05-09一>2014-05-0Qe2014-05-09 -> 22 2014-05-092014 05-09 -> 232014-05-092014-05-09 -> 24 2014-05-092014-05-00 -> 252014-05-09 £2014-05-09 -> 26*= 2014-OS-OP e2014-05-092F 2014-05-09

44、-> 28 2014-05-092011 05 09 _> 292014-05-09eComplete!r oot&ag T# 21:39:43.7204654二时0migrate.versioni ng_ api21:39:43.7204b54INFOmigrate.versioni ng.apiL-21：39:43.S994654工N匚Omigrate.versioni ng. apiL-21:39:43.8994654J. N 卜 Dmigrate.versioni ng_ api-121:39:44.0084654TNFQmigrate. versiorri ng.

45、 api-121:39:44.0084654ZNFOmigrate.vers1 oni ng.api-121:39:44,3764654INFOmigrate.versioning.api1 - 121：39:44.3764654INFOmigrate.vers1oni ng.api-21;39;44.3774654migrate.versioni ng. api*J21：39:44.3774654INFOmigrat巳.versioni ng.apiJ21;39:44.3794654INFOm i grte.vers i oni ng. api-21 :9:44.3794654INFOnon

46、gratp. ver si oni ng. api-21：39:44,3804654INFOmigrate.verstoni ng, api-2L：39:44.3504b>4TNFumigrate.versioni nq.apiL-J21;39:4.5614654INFOmi grate.verstoni ng.api-121:39:44.5614654NFOmigrate.versloni ng+ apiE-l21 :0:44.7614654TNFDmi grat?.versnnni ng.apir-i21;39:44.7614654INFOmi grate.versioni ng*

47、apir-j21:39:44.9544654INFQmigrate.version!ng, api21;39:44.9544654iNromigrate.versioni ng, apii21:39:45.5394054INFOmigrate.versioni ng.apir-i19don20don21don22don22dori?4dondon20dnn27don28doni$tl2 AfS-ZKCTP.45, L4 |45fjr64L VHOO(3).修改配置文件中的数据库链接:rootope nstack # ope nstack-c onfig -set /etc/gla nce/gl

48、a nce-api.c onf DEFAULT sql_c onnection mysql:/gla nce:gla ncelocalhost/gla neerootopenstack # openstack-config -set /etc/glance/glance-registry.conf DEFAULT sql_c onnection mysql:/gla nce:gla ncelocalhost/gla nee6.2.创建 User，定义 Services 和 API Endpoints(1) .为Glanee 服务创建一个 glanee用户：rootope nstack # ke

49、yst one user-create -n ame=gla nee -pass=servicerootmg # sh /root/config/glance.shWARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).+ | Property | Value+ | id | fe281515d406407bbcd4887cb5815de4 | adminurl |:9292| internalur

50、l |:9292 | publicurl | :9292 | region | regionOne | | service_id | 7c0102f0e715479e9292c0581d214de2 |+6.3. 配置 Glance 服务(1) . 将 keystone 认证信息添加到 glance 配置文件中： rootopenstack # openstack-config -set /etc/glance/glance-api.conf keystone_authtoken auth_host root

51、openstack # openstack-config -set /etc/glance/glance-api.conf keystone_authtoken auth_port 35357rootopenstack # openstack-config -set /etc/glance/glance-api.conf keystone_authtoken auth_protocol httprootopenstack # openstack-config -set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_nam

52、e servicerootopenstack # openstack-config -set /etc/glance/glance-api.conf keystone_authtoken admin_user glancerootopenstack # openstack-config -set /etc/glance/glance-api.conf keystone_authtoken admin_password servicerootopenstack # openstack-config -set /etc/glance/glance-registry.conf keystone_au

53、thtoken auth_host rootopenstack # openstack-config -set /etc/glance/glance-registry.conf keystone_authtoken auth_port 35357rootopenstack # openstack-config -set /etc/glance/glance-registry.conf keystone_authtoken auth_protocol httprootopenstack # openstack-config -set /etc/glance/glance-reg

54、istry.conf keystone_authtoken admin_tenant_name servicerootopenstack # openstack-config -set /etc/glance/glance-registry.conf keystone_authtoken admin_user glancerootopenstack # openstack-config -set /etc/glance/glance-registry.conf keystone_authtoken admin_password service(2) . 修改 ini 文件路径，将 keysto

55、ne 认证信息添加到 ini 文件中： rootopenstack # openstack-config -set /etc/glance/glance-api.conf paste_deploy config_file /etc/glance/glance-api-paste.inirootopenstack # openstack-config -set /etc/glance/glance-api.conf paste_deploy flavor keystonerootopenstack # openstack-config -set /etc/glance/glance-registry.conf paste_deploy config_file