openstack云平台搭建与使用

这篇具有很好参考价值的文章主要介绍了openstack云平台搭建与使用。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

概述

使用CentOS 7系统搭建一个OpenStack私有云平台。

实验目标

(1)掌握Linux系统的基础操作,包括修改主机名和配置网络等。
(2)掌握OpenStack私有云平台的搭建。

实验环境

准备环境:
CentOS 7.2 Linux系统。
XianDian-IaaS-v2.2.iso镜像文件

  • 192.168.0.21 controller
  • 192.168.0.20 compute

实验步骤

  • 两台节点分别两个网卡,一个是nat模式,另外一个为仅主机模式
  • 配置ip
    • controller节点
ifdown-ippp        ifdown-Team        ifup-ib            ifup-ppp           init.ipv6-global
[root@controller ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:19:16:74 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 brd 192.168.0.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe19:1674/64 scope link 
       valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:19:16:7e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::20c:29ff:fe19:167e/64 scope link 
       valid_lft forever preferred_lft forever
[root@controller ~]# cp /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ifcfg-eno33554984
[root@controller ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno33554984
[root@compute ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno33554984
TYPE=Ethernet1
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eno33554984
DEVICE=eno33554984
ONBOOT=yes
DNS1=114.114.114.114
IPADDR=192.168.10.21
PREFIX=24
GATEWAY=192.168.10.2
~
"/etc/sysconfig/network-scripts/ifcfg-eno33554984" 11L, 187C written                 
[root@controller ~]# systemctl restart network
[root@controller ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:19:16:74 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 brd 192.168.0.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe19:1674/64 scope link 
       valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:19:16:7e brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.20/24 brd 192.168.10.255 scope global eno33554984
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe19:167e/64 scope link 
       valid_lft forever preferred_lft forever
 compute
[root@compute ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno33554984
TYPE=Ethernet1
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eno33554984
DEVICE=eno33554984
ONBOOT=yes
DNS1=114.114.114.114
IPADDR=192.168.10.21
PREFIX=24
GATEWAY=192.168.10.2

[root@compute ~]# systemctl restart network
[root@compute ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:f6:6f:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.21/24 brd 192.168.0.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef6:6fa1/64 scope link 
       valid_lft forever preferred_lft forever
3: eno33554984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:f6:6f:ab brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.21/24 brd 192.168.10.255 scope global eno33554984
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef6:6fab/64 scope link 
       valid_lft forever preferred_lft forever
  • ping测试
[root@controller ~]# ping 192.168.10.21
PING 192.168.10.21 (192.168.10.21) 56(84) bytes of data.
64 bytes from 192.168.10.21: icmp_seq=1 ttl=64 time=0.454 ms
64 bytes from 192.168.10.21: icmp_seq=2 ttl=64 time=2.76 ms
64 bytes from 192.168.10.21: icmp_seq=3 ttl=64 time=0.946 ms
^C
--- 192.168.10.21 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2025ms
rtt min/avg/max/mdev = 0.454/1.389/2.769/0.996 ms
[root@controller ~]# 

  • 修改主机名
[root@centos7 ~]# hostnamectl set-hostname controller
[root@cemtos7 ~]# hostnamectl set-hostname compute
  • 关闭防火墙(两台节点都要)
[root@centos7 ~]# iptables -F
[root@centos7 ~]# iptables -Z
[root@centos7 ~]# iptables -X
[root@centos7 ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sat May 28 00:34:45 2022
*filter
:INPUT ACCEPT [34:2652]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19:2008]
COMMIT
# Completed on Sat May 28 00:34:45 2022
[root@centos7 ~]# systemctl stop firewalld
[root@centos7 ~]# systemctl disable firewalld
[root@centos7 ~]# cat /etc/selinux/config 
##修改SELINUX=disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
  • 添加主机解析
[root@centos7 ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.20 controller
192.168.10.21 compute
  • 挂载xiandian.iso(两台都要)
[root@compute ~]# ls
anaconda-ks.cfg  XianDian-IaaS-v2.2.iso
[root@controller ~]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Sat Mar 12 04:06:23 2022
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=85b39342-ac84-47e5-919c-9faef57e0c58 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
/dev/sr0 /cdrom iso9660 defaults 0 0
/root/XianDian-IaaS-v2.2.iso  /xiandian iso9660 defaults 0 0
[root@controller ~]# mount -a
mount: /dev/loop0 is write-protected, mounting read-only
[root@controller ~]# cat /etc/yum.repos.d/local.repo 
[local]
name=local
baseurl=file:///cdrom
enabled=1
gpgcheck=0
[xiandian]
name=xiandian
baseurl=file:///xiandian/iaas-repo
enabled=1
gpgcheck=0
[root@controller ~]# yum repolist
Loaded plugins: fastestmirror
local                                                                 | 3.6 kB  00:00:00     
xiandian                                                              | 2.9 kB  00:00:00     
xiandian/primary_db                                                   | 2.3 MB  00:00:00     
Loading mirror speeds from cached hostfile
repo id                                    repo name                                   status
local                                      local                                       3,723
xiandian                                   xiandian                                    1,688
repolist: 5,411
[root@controller ~]# 

  • 在controller和compute节点同时安装 iaas-xiandian
[root@controller ~]# yum install iaas-xiandian -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package iaas-xiandian.x86_64 0:2.2-0 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package                   Arch               Version             Repository            Size
=============================================================================================
Installing:
 iaas-xiandian             x86_64             2.2-0               xiandian              22 k

Transaction Summary
=============================================================================================
Install  1 Package

Total download size: 22 k
Installed size: 93 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : iaas-xiandian-2.2-0.x86_64                                                1/1 
  Verifying  : iaas-xiandian-2.2-0.x86_64                                                1/1 

Installed:
  iaas-xiandian.x86_64 0:2.2-0                                                               

Complete!
  • 在两个节点上修改全局配置文件openrc.sh,具体内容参照下面的配置文件填写,具体涉及到的ip得根据实际环境的controller和compute节点的ip来定
    openstack云平台搭建与使用
  • 这里compute节点需要先添加两块硬盘,或者分区(这里我是sdb和sdc)
[root@compute ~]# lsblk
NAME            MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda               8:0    0   50G  0 disk 
├─sda1            8:1    0  500M  0 part /boot
└─sda2            8:2    0   24G  0 part 
  ├─centos-root 253:0    0   20G  0 lvm  /
  └─centos-swap 253:1    0    4G  0 lvm  [SWAP]
sdb               8:16   0   10G  0 disk 
sdc               8:32   0   20G  0 disk 
sr0              11:0    1    4G  0 rom  /cdrom
loop0             7:0    0  2.7G  0 loop /xiandian
[root@controller ~]# cat /etc/xiandian/openrc.sh
##--------------------system Config--------------------##
##Controller Server Manager IP. example:x.x.x.x
HOST_IP=192.168.10.20

##Controller Server hostname. example:controller
HOST_NAME=controller

##Compute Node Manager IP. example:x.x.x.x
HOST_IP_NODE=192.168.10.21

##Compute Node hostname. example:compute
HOST_NAME_NODE=compute

##--------------------Rabbit Config ------------------##
##user for rabbit. example:openstack
RABBIT_USER=openstack

##Password for rabbit user .example:000000
RABBIT_PASS=000000

##--------------------MySQL Config---------------------##
##Password for MySQL root user . exmaple:000000
DB_PASS=000000

##--------------------Keystone Config------------------##
##Password for Keystore admin user. exmaple:000000
DOMAIN_NAME=demo
ADMIN_PASS=000000
DEMO_PASS=000000

##Password for Mysql keystore user. exmaple:000000
KEYSTONE_DBPASS=000000

##--------------------Glance Config--------------------##
##Password for Mysql glance user. exmaple:000000
GLANCE_DBPASS=000000

##Password for Keystore glance user. exmaple:000000
GLANCE_PASS=000000

##--------------------Nova Config----------------------##
##Password for Mysql nova user. exmaple:000000
NOVA_DBPASS=000000

##Password for Keystore nova user. exmaple:000000
NOVA_PASS=000000

##--------------------Neturon Config-------------------##
##Password for Mysql neutron user. exmaple:000000
NEUTRON_DBPASS=000000

##Password for Keystore neutron user. exmaple:000000
NEUTRON_PASS=000000

##metadata secret for neutron. exmaple:000000
METADATA_SECRET=000000

##External Network Interface. example:eth1
INTERFACE_NAME=网卡1的名称(Nat模式那个)

##First Vlan ID in VLAN RANGE for VLAN Network. exmaple:101
#minvlan=

##Last Vlan ID in VLAN RANGE for VLAN Network. example:200
#maxvlan=000000

##--------------------Cinder Config--------------------##
##Password for Mysql cinder user. exmaple:000000
CINDER_DBPASS=000000

##Password for Keystore cinder user. exmaple:000000
CINDER_PASS=000000

##Cinder Block Disk. example:md126p3
BLOCK_DISK=sdb

##--------------------Trove Config--------------------##
##Password for Mysql Trove User. exmaple:000000
TROVE_DBPASS=000000

##Password for Keystore Trove User. exmaple:000000
TROVE_PASS=000000

##--------------------Swift Config---------------------##
##Password for Keystore swift user. exmaple:000000
SWIFT_PASS=000000

##The NODE Object Disk for Swift. example:md126p4.
OBJECT_DISK=sdc

##The NODE IP for Swift Storage Network. example:x.x.x.x.
STORAGE_LOCAL_NET_IP=192.168.0.21

##--------------------Heat Config----------------------##
##Password for Mysql heat user. exmaple:000000
HEAT_DBPASS=000000

##Password for Keystore heat user. exmaple:000000
HEAT_PASS=000000

##--------------------Ceilometer Config----------------##
##Password for Mysql ceilometer user. exmaple:000000
CEILOMETER_DBPASS=000000

##Password for Keystore ceilometer user. exmaple:000000
CEILOMETER_PASS=000000

##--------------------AODH Config----------------##
##Password for Mysql AODH user. exmaple:000000
AODH_DBPASS=000000

##Password for Keystore AODH user. exmaple:000000
AODH_PASS=000000
[root@controller ~]# scp /etc/xiandian/openrc.sh root@compute:/etc/xiandian/openrc.sh 
The authenticity of host 'compute (192.168.0.21)' can't be established.
ECDSA key fingerprint is c8:fe:fe:fa:9d:73:26:60:f9:cb:13:2b:bb:e8:d9:ac.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'compute' (ECDSA) to the list of known hosts.
root@compute's password: 
openrc.sh                                                            100% 3095     3.0KB/s   00:00  
  • 同时在controller和compute节点上执行脚本iaas-pre-host.sh进行安装。完成配置后,同时重启两个节点服务器
[root@controller ~]# iaas-pre-host.sh
  python2-debtcollector.noarch 0:1.3.0-1.el7                                                           
  python2-funcsigs.noarch 0:0.4-2.el7                                                                  
  python2-iso8601.noarch 0:0.1.11-1.el7                                                                
  python2-jsonpatch.noarch 0:1.14-1.el7                                                                
  python2-jsonpointer.noarch 0:1.10-4.el7                                                              
  python2-keystoneauth1.noarch 0:2.4.1-1.el7                                                           
  python2-openstacksdk.noarch 0:0.8.3-1.el7                                                            
  python2-os-client-config.noarch 0:1.16.0-1.el7                                                       
  python2-oslo-config.noarch 2:3.9.0-1.el7                                                             
  python2-oslo-i18n.noarch 0:3.4.0-1.el7                                                               
  python2-oslo-serialization.noarch 0:2.4.0-1.el7                                                      
  python2-oslo-utils.noarch 0:3.7.0-1.el7                                                              
  python2-positional.noarch 0:1.0.1-1.el7                                                              
  python2-pyasn1.noarch 0:0.1.9-6.el7.1                                                                
  python2-pysocks.noarch 0:1.5.6-3.el7                                                                 
  python2-requestsexceptions.noarch 0:1.1.3-1.el7                                                      
  python2-setuptools.noarch 0:22.0.5-1.el7                                                             
  pytz.noarch 0:2012d-5.el7                                                                            
  setools-libs.x86_64 0:3.3.7-46.el7                                                                   

Complete!
Please Reboot or Reconnect the terminal

  • 在controller节点执行脚本iaas-install-mysql.sh进行数据库及消息列表服务安装
[root@controller ~]# iaas-install-mysql.sh
Thanks for using MariaDB!
Created symlink from /etc/systemd/system/multi-user.target.wants/mongod.service to /usr/lib/systemd/system/mongod.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
Creating user "openstack" ...
Setting permissions for user "openstack" in vhost "/" ...
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@controller ~]# 
  • 在controller节点执行脚本iaas-install-keystone.sh进行keystone认证服务安装
[root@controller ~]#  iaas-install-keystone.sh
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | 81ea07237d034c4e99369581c1b4db89 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| enabled   | True                             |
| id        | 2bee802355b24023968dc6e4bd11c983 |
| name      | admin                            |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 28e00fea5f4344edaa093f617fc55d5a |
| name      | admin                            |
+-----------+----------------------------------+
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | 09ecb096e1034e5b9e5166adfc15a6f0 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | 5e04233827f848228c4a5a238c1e780b |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| enabled   | True                             |
| id        | ebb2d2324b054189acf2bd5a62b6555a |
| name      | demo                             |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | a243425ce82c445c98e98b021165f737 |
| name      | user                             |
+-----------+----------------------------------+
  • 在controller节点执行脚本iaas-install-glance.sh进行glance镜像服务安装。
[root@controller ~]# iaas-install-glance.sh
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 7505aaf809124ae9b05dfe30de8ce6e0 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 13051029aec94967a8dc19238e1f9d8c |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | bc3d5a5d0ea14992baff0b89f470d3ee |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 13051029aec94967a8dc19238e1f9d8c |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+
Option "verbose" from group "DEFAULT" is deprecated for removal.  Its value may be silently ignored in the future.
/usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py:1056: OsloDBDeprecationWarning: EngineFacade is deprecated; please use oslo_db.sqlalchemy.enginefacade
  expire_on_commit=expire_on_commit, _conf=conf)
/usr/lib/python2.7/site-packages/pymysql/cursors.py:146: Warning: Duplicate index 'ix_image_properties_image_id_name' defined on the table 'glance.image_properties'. This is deprecated and will be disallowed in a future release.
  result = self._query(query)
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-api.service to /usr/lib/systemd/system/openstack-glance-api.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-registry.service to /usr/lib/systemd/system/openstack-glance-registry.service.
  • 在controller节点执行脚本iaas-install-nova-controller.sh进行nova计算服务安装
[root@controller ~]# iaas-install-nova-controller.sh
Dependency Installed:
  jbigkit-libs.x86_64 0:2.0-11.el7               libjpeg-turbo.x86_64 0:1.2.90-5.el7                  
  libtiff.x86_64 0:4.0.3-25.el7_2                libwebp.x86_64 0:0.3.0-3.el7                         
  libxslt.x86_64 0:1.1.28-5.el7                  novnc.noarch 0:0.5.1-2.el7                           
  openstack-nova-common.noarch 1:13.1.0-1.el7    python-cheetah.x86_64 0:2.4.4-5.el7.centos           
  python-lxml.x86_64 0:3.2.1-4.el7               python-markdown.noarch 0:2.4.1-1.el7.centos          
  python-nova.noarch 1:13.1.0-1.el7              python-pillow.x86_64 0:2.0.0-19.gitd1c6db8.el7       
  python-psutil.x86_64 0:1.2.1-1.el7             python-pygments.noarch 0:2.0.2-4.el7                 
  python-websockify.noarch 0:0.8.0-1.el7         python2-ecdsa.noarch 0:0.13-4.el7                    
  python2-mock.noarch 0:1.3.0-2.el7              python2-os-brick.noarch 0:1.1.0-1.el7                
  python2-oslo-reports.noarch 0:1.6.0-1.el7      python2-oslo-versionedobjects.noarch 0:1.7.0-1.el7   
  python2-paramiko.noarch 0:1.16.1-1.el7         python2-rfc3986.noarch 0:0.3.1-1.el7                 

Complete!
/usr/lib/python2.7/site-packages/pymysql/cursors.py:146: Warning: Duplicate index 'block_device_mapping_instance_uuid_virtual_name_device_name_idx' defined on the table 'nova.block_device_mapping'. This is deprecated and will be disallowed in a future release.
  result = self._query(query)
/usr/lib/python2.7/site-packages/pymysql/cursors.py:146: Warning: Duplicate index 'uniq_instances0uuid' defined on the table 'nova.instances'. This is deprecated and will be disallowed in a future release.
  result = self._query(query)
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-api.service to /usr/lib/systemd/system/openstack-nova-api.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-consoleauth.service to /usr/lib/systemd/system/openstack-nova-consoleauth.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-scheduler.service to /usr/lib/systemd/system/openstack-nova-scheduler.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-conductor.service to /usr/lib/systemd/system/openstack-nova-conductor.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-novncproxy.service to /usr/lib/systemd/system/openstack-nova-novncproxy.service.
  • compute节点执行脚本iaas-install-nova-compute.sh进行nova安装
[root@compute ~]# iaas-install-nova-compute.sh
 qemu-img-ev.x86_64 10:2.3.0-31.el7.16.1                                                               
  qemu-kvm-common-ev.x86_64 10:2.3.0-31.el7.16.1                                                        
  qemu-kvm-ev.x86_64 10:2.3.0-31.el7.16.1                                                               
  quota.x86_64 1:4.01-11.el7_2.1                                                                        
  quota-nls.noarch 1:4.01-11.el7_2.1                                                                    
  radvd.x86_64 0:1.9.2-9.el7                                                                            
  rpcbind.x86_64 0:0.2.0-33.el7_2.1                                                                     
  rsync.x86_64 0:3.0.9-17.el7                                                                           
  rsyslog-mmjsonparse.x86_64 0:7.4.7-12.el7                                                             
  scrub.x86_64 0:2.5.2-5.el7                                                                            
  seabios-bin.noarch 0:1.7.5-11.el7                                                                     
  seavgabios-bin.noarch 0:1.7.5-11.el7                                                                  
  sg3_utils.x86_64 0:1.37-5.el7                                                                         
  sg3_utils-libs.x86_64 0:1.37-5.el7                                                                    
  sgabios-bin.noarch 1:0.20110622svn-4.el7                                                              
  spice-server.x86_64 0:0.12.4-15.el7_2.2                                                               
  supermin5.x86_64 0:5.1.10-1.2.el7                                                                     
  sysfsutils.x86_64 0:2.1.0-16.el7                                                                      
  syslinux.x86_64 0:4.05-12.el7                                                                         
  syslinux-extlinux.x86_64 0:4.05-12.el7                                                                
  tcp_wrappers.x86_64 0:7.6-77.el7                                                                      
  unbound-libs.x86_64 0:1.4.20-26.el7                                                                   
  urw-fonts.noarch 0:2.4-16.el7                                                                         
  usbredir.x86_64 0:0.6-7.el7                                                                           
  xorg-x11-font-utils.x86_64 1:7.5-20.el7                                                               
  yajl.x86_64 0:2.0.4-4.el7                                                                             
  yum-utils.noarch 0:1.1.31-34.el7                                                                      

Dependency Updated:
  cyrus-sasl-lib.x86_64 0:2.1.26-20.el7_2                 gnutls.x86_64 0:3.3.8-14.el7_2                

Complete!
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-compute.service to /usr/lib/systemd/system/openstack-nova-compute.service.
  • 在controller节点执行脚本iaas-install-neutron-controller.sh进行neutron网络服务安装
[root@controller ~]# iaas-install-neutron-controller.sh
INFO  [alembic.runtime.migration] Running upgrade lbaasv2 -> 4deef6d81931, add provisioning and operating statuses
INFO  [alembic.runtime.migration] Running upgrade 4deef6d81931 -> 4b6d8d5310b8, add_index_tenant_id
INFO  [alembic.runtime.migration] Running upgrade 4b6d8d5310b8 -> 364f9b6064f0, agentv2
INFO  [alembic.runtime.migration] Running upgrade 364f9b6064f0 -> lbaasv2_tls, lbaasv2 TLS
INFO  [alembic.runtime.migration] Running upgrade lbaasv2_tls -> 4ba00375f715, edge_driver
INFO  [alembic.runtime.migration] Running upgrade 4ba00375f715 -> kilo, kilo
INFO  [alembic.runtime.migration] Running upgrade kilo -> 3345facd0452, Initial Liberty no-op expand script.
INFO  [alembic.runtime.migration] Running upgrade 3345facd0452 -> 4a408dd491c2, Addition of Name column to lbaas_members and lbaas_healthmonitors table
INFO  [alembic.runtime.migration] Running upgrade 4a408dd491c2 -> 3426acbc12de, Add flavor id
INFO  [alembic.runtime.migration] Running upgrade 3426acbc12de -> 6aee0434f911, independent pools
INFO  [alembic.runtime.migration] Running upgrade 6aee0434f911 -> 3543deab1547, add_l7_tables
INFO  [alembic.runtime.migration] Running upgrade 3543deab1547 -> 62deca5010cd, Add tenant-id index for L7 tables
INFO  [alembic.runtime.migration] Running upgrade kilo -> 130ebfdef43, Initial Liberty no-op contract revision.
  OK
Created symlink from /etc/systemd/system/multi-user.target.wants/openvswitch.service to /usr/lib/systemd/system/openvswitch.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-server.service to /usr/lib/systemd/system/neutron-server.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-openvswitch-agent.service to /usr/lib/systemd/system/neutron-openvswitch-agent.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-dhcp-agent.service to /usr/lib/systemd/system/neutron-dhcp-agent.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-metadata-agent.service to /usr/lib/systemd/system/neutron-metadata-agent.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-l3-agent.service to /usr/lib/systemd/system/neutron-l3-agent.service.
  • 在compute节点执行脚本iaas-install-neutron-compute.sh进行neutron网络服务安装
[root@compute ~]# iaas-install-neutron-compute.sh

Dependency Installed:
conntrack-tools.x86_64 0:1.4.2-9.el7 dibbler-client.x86_64 0:1.0.1-0.RC1.2.el7
dnsmasq-utils.x86_64 0:2.66-14.el7_2.1 ipset-libs.x86_64 0:6.19-4.el7
keepalived.x86_64 0:1.2.13-7.el7 libnetfilter_cthelper.x86_64 0:1.0.0-8.el7
libnetfilter_cttimeout.x86_64 0:1.0.0-6.el7 libnetfilter_queue.x86_64 0:1.0.2-2.el7
libxml2-python.x86_64 0:2.9.1-6.el7_2.3 libxslt-python.x86_64 0:1.1.28-5.el7
lm_sensors-libs.x86_64 0:3.3.4-11.el7 net-snmp-agent-libs.x86_64 1:5.7.2-24.el7_2.1
net-snmp-libs.x86_64 1:5.7.2-24.el7_2.1 openstack-neutron-common.noarch 1:8.1.2-1.el7
openvswitch.x86_64 0:2.5.0-2.el7 python-beautifulsoup4.noarch 0:4.4.1-3.el7
python-designateclient.noarch 0:2.0.0-1.el7 python-html5lib.noarch 1:0.999-5.el7
python-logutils.noarch 0:0.3.3-3.el7 python-ncclient.noarch 0:0.4.2-2.el7
python-neutron.noarch 1:8.1.2-1.el7 python-neutron-lib.noarch 0:0.0.2-1.el7
python-openvswitch.noarch 0:2.5.0-2.el7 python-ryu.noarch 0:3.30-1.el7
python-simplegeneric.noarch 0:0.8-7.el7 python-waitress.noarch 0:0.8.9-5.el7
python-webtest.noarch 0:2.0.23-1.el7 python2-pecan.noarch 0:1.0.2-2.el7
python2-singledispatch.noarch 0:3.4.0.3-4.el7

Dependency Updated:
libxml2.x86_64 0:2.9.1-6.el7_2.3

Complete!
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
Created symlink from /etc/systemd/system/multi-user.target.wants/openvswitch.service to /usr/lib/systemd/system/openvswitch.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-openvswitch-agent.service to /usr/lib/systemd/system/neutron-openvswitch-agent.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-metadata-agent.service to /usr/lib/systemd/system/neutron-metadata-agent.service.

  • 在controller节点执行脚本iaas-install-neutron-controller-gre.sh进行gre网络安装配置
[root@controller ~]# iaas-install-neutron-controller-gre.sh

INFO  [alembic.runtime.migration] Will assume non-transacti
  • 在compute节点执行脚本iaas-install-neutron-compute-gre.sh进行gre网络安装配置
[root@compute ~]# iaas-install-neutron-compute-gre.sh

  • 在controller节点执行脚本iaas-install-dashboard.sh进行dashboard服务安装
[root@controller ~]# iaas-install-dashboard.sh
 python-XStatic-jQuery.noarch 0:1.10.2.1-1.el7                                                        
  python-XStatic-jquery-ui.noarch 0:1.10.4.1-1.el7                                                     
  python-XStatic-smart-table.noarch 0:1.4.5.3-5.el7.1                                                  
  python-XStatic-termjs.noarch 0:0.0.4.2-2.el7                                                         
  python-ceilometerclient.noarch 0:2.3.0-1.el7                                                         
  python-django.noarch 0:1.8.14-1.el7                                                                  
  python-django-appconf.noarch 0:1.0.1-4.el7                                                           
  python-django-bash-completion.noarch 0:1.8.14-1.el7                                                  
  python-django-compressor.noarch 0:2.0-1.el7                                                          
  python-django-horizon.noarch 1:9.0.1-1.el7.centos                                                    
  python-django-openstack-auth.noarch 0:2.2.0-1.el7                                                    
  python-django-pyscss.noarch 0:2.0.2-1.el7                                                            
  python-heatclient.noarch 0:1.0.0-1.el7                                                               
  python-lesscpy.noarch 0:0.9j-4.el7                                                                   
  python-lockfile.noarch 1:0.9.1-4.el7.centos                                                          
  python-pathlib.noarch 0:1.0.1-1.el7                                                                  
  python-pint.noarch 0:0.6-2.el7                                                                       
  python-saharaclient.noarch 0:0.13.0-1.el7                                                            
  python-versiontools.noarch 0:1.9.1-4.el7                                                             
  python2-XStatic-bootswatch.noarch 0:3.3.5.3-2.el7                                                    
  python2-XStatic-mdi.noarch 0:1.1.70.1-5.el7                                                          
  python2-XStatic-roboto-fontface.noarch 0:0.4.3.2-8.el7                                               
  python2-rcssmin.x86_64 0:1.0.6-2.el7                                                                 
  python2-rjsmin.x86_64 0:1.0.12-2.el7                                                                 
  python2-scss.x86_64 0:1.3.4-6.el7                                                                    
  python2-troveclient.noarch 0:2.1.2-2.el7                                                             
  roboto-fontface-common.noarch 0:0.4.3.2-8.el7                                                        
  roboto-fontface-fonts.noarch 0:0.4.3.2-8.el7                                                         
  web-assets-filesystem.noarch 0:5-1.el7                                                               

Complete!
[root@controller ~]# 
  • 上述操作完成后,打开浏览器,打开网页 http://192.168.10.20/dashboard(根据自己实际情况,填写controller IP)进行验证服务,域、用户名和密码(域:demo 用户名:admin 密码:000000)。
    openstack云平台搭建与使用
    openstack云平台搭建与使用

安装Swift服务

  • 在controller节点依次执行iaas-install-swift-controller.sh和compute节点iaas-install-swift-compute.sh脚本即可完成安装
[root@controller ~]# iaas-install-swift-controller.sh
[root@compute ~]# iaas-install-swift-compute.sh 

注:compute节点安装时,需要输入controller密码(000000)

  • controller节点查看一下Swift的状态
[root@controller ~]# source /etc/keystone/admin-openrc.sh
[root@controller ~]#  swift stat
        Account: AUTH_81ea07237d034c4e99369581c1b4db89
     Containers: 0
        Objects: 0
          Bytes: 0
X-Put-Timestamp: 1653716829.25598
    X-Timestamp: 1653716829.25598
     X-Trans-Id: txd872259f2fb24b0781102-006291b75c
   Content-Type: text/plain; charset=utf-8
  • 查看容器
[root@controller ~]# swift list
  • 创建容器(创建一个容器,名称为gw001,并查看)
[root@controller ~]# swift post gw001
[root@controller ~]# swift list
gw001
  • 容器操作(上传一个文件到这个容器中,并查看)
[root@controller ~]#  swift upload gw001 anaconda-ks.cfg 
anaconda-ks.cfg
[root@controller ~]#  swift list gw001
anaconda-ks.cfg
  • 删除这个文件后删除这个容器
[root@controller ~]# swift delete gw001 anaconda-ks.cfg
[root@controller ~]# swift list gw001
[root@controller ~]# swift delete gw001
[root@controller ~]# swift list

配置Cinder块存储

  • 在controller节点执行下列脚本,按顺序安装Cinder服务
[root@controller ~]#  iaas-install-cinder-controller.sh
[root@compute ~]#iaas-install-cinder-compute.sh
  • 使用Cinder块存储
    • 登录OpenStack
      openstack云平台搭建与使用
    • 修改安全规则(放行所有的协议规则)
      openstack云平台搭建与使用
  • 创建网络
    • 单击界面左侧“管理员”列表下的“系统面板→网络”按钮,接着在界面右侧单击“创建网络”按钮

    • 首先创建一个网络(外网),在弹出的“创建网络”对话框中,“名称”文本框内输入“ext-net”,单击“项目”下的倒三角按钮▼,在打开的下拉菜单中选择“admin”选项,供应商选择 “GRE”,勾选“共享的”和“外部网络”2个选项,段ID文本框输入“1”,最后单击右下角“提交”按钮,完成创建
      openstack云平台搭建与使用

    • 进入ext-net网络详情页面,单击“子网”列表中“创建子网”按钮,进行创建子网。输入相关信息后,点击下一步按钮,进入子网详情界面,直接点击已创建按钮,此时子网创建成功。
      在这里插入图片描述

  • 创建内网网络
    • 弹出的“创建网络”对话框中,“名称”文本框内输入“int-net”,单击“项目”下的倒三角按钮▼,在打开的下拉菜单中选择“admin”选项,最后单击右下角“提交”按钮,完成创建
      openstack云平台搭建与使用
  • 为内网创建子网
    openstack云平台搭建与使用
  • 创建路由
    • 左侧“项目”列表下的“网络→路由”按钮,接着在界面右侧“路由”列表中单击“新建路由”按钮,进行路由的创建
      外部网络选择刚刚新建的外网ext-netopenstack云平台搭建与使用
  • 为路由添加新的接口,接口接到我们内网int-net
    openstack云平台搭建与使用

上传镜像

  • 回到controller节点,使用命令上传镜像
[root@controller ~]# glance image-create --name centos --disk-format qcow2  --container-format bare  --progress <  /xiandian/images/CentOS_7.2_x86_64_XD.qcow2 
[=============================>] 100%
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | ea197f4c679b8e1ce34c0aa70ae2a94a     |
| container_format | bare                                 |
| created_at       | 2022-05-28T06:18:00Z                 |
| disk_format      | qcow2                                |
| id               | 8a3c6a4e-e7a5-4e25-83c4-6e93bbf6c2f2 |
| min_disk         | 0                                    |
| min_ram          | 0                                    |
| name             | centos                               |
| owner            | 81ea07237d034c4e99369581c1b4db89     |
| protected        | False                                |
| size             | 400752640                            |
| status           | active                               |
| tags             | []                                   |
| updated_at       | 2022-05-28T06:18:07Z                 |
| virtual_size     | None                                 |
| visibility       | private                              |
+------------------+--------------------------------------+

注:若执行上述代码报错,需要先运行代码: source /etc/keystone/admin-openrc.sh

创建云主机

  • 点击 计算→云主机,开始创建云主机
    openstack云平台搭建与使用
    openstack云平台搭建与使用
    openstack云平台搭建与使用
    openstack云平台搭建与使用
    openstack云平台搭建与使用
    openstack云平台搭建与使用
    openstack云平台搭建与使用
  • 绑定浮动ip
    openstack云平台搭建与使用
    openstack云平台搭建与使用
    openstack云平台搭建与使用

openstack云平台搭建与使用

  • 然后通过WEB界面的终端方式进去云主机即可,验证登录OpenStack(密码:000000)openstack云平台搭建与使用

云硬盘挂载使用

  • 到controller节点,创建一个卷设备,名称为test 1,大小为2 G的卷。可以使用命令cinder list查看
[root@controller ~]# source /etc/keystone/admin-openrc.sh
You have mail in /var/spool/mail/root
[root@controller ~]# cinder create --display-name test1 2
+--------------------------------+--------------------------------------+
|            Property            |                Value                 |
+--------------------------------+--------------------------------------+
|          attachments           |                  []                  |
|       availability_zone        |                 nova                 |
|            bootable            |                false                 |
|      consistencygroup_id       |                 None                 |
|           created_at           |      2022-05-28T06:57:43.000000      |
|          description           |                 None                 |
|           encrypted            |                False                 |
|               id               | 86c41fb6-cc12-4250-b79e-1474d5f64363 |
|            metadata            |                  {}                  |
|        migration_status        |                 None                 |
|          multiattach           |                False                 |
|              name              |                test1                 |
|     os-vol-host-attr:host      |                 None                 |
| os-vol-mig-status-attr:migstat |                 None                 |
| os-vol-mig-status-attr:name_id |                 None                 |
|  os-vol-tenant-attr:tenant_id  |   81ea07237d034c4e99369581c1b4db89   |
|       replication_status       |               disabled               |
|              size              |                  2                   |
|          snapshot_id           |                 None                 |
|          source_volid          |                 None                 |
|             status             |               creating               |
|           updated_at           |                 None                 |
|            user_id             |   2bee802355b24023968dc6e4bd11c983   |
|          volume_type           |                 None                 |
+--------------------------------+--------------------------------------+
[root@controller ~]# cinder list
+--------------------------------------+-----------+-------+------+-------------+----------+-------------+
|                  ID                  |   Status  |  Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-------+------+-------------+----------+-------------+
| 86c41fb6-cc12-4250-b79e-1474d5f64363 | available | test1 |  2   |      -      |  false   |             |
+--------------------------------------+-----------+-------+------+-------------+----------+-------------+
  • 在OpenStack主页面中,单击界面左侧“项目”列表下的“计算->卷”
    openstack云平台搭建与使用

openstack云平台搭建与使用

  • 在“卷”页面中可以看到“连接到”中有“在设备/dev/vdb上连接到test”的信息
    openstack云平台搭建与使用

Keystone管理认证用户

概述

在 OpenStack 框架中,Keystone(OpenStack Identity Service)的功能是负责验证身份、校验服务规则和发布服务令牌的,它实现了OpenStack的Identity API。Keystone可分解为两个功能,即权限管理和服务目录权限管理主要用于用户的管理授权。服务目录,类似一个服务总线,或者说是整个OpenStack框架的注册表。认证模块提供API服务、token令牌机制、服务目录、规则和认证发布等功能。

实验目标

  • 配置并启用认证服务。
  • 创建用户账号alice。
  • 创建项目acme,用于管理一组账户。
  • 创建角色compute-user,用于用户权限的管理。
  • 绑定用户和项目的权限。

实验环境

大数据实训平台、IaaS_Mitaka_ALLinone.qcow2。

实验准备

  1. 相关概念
    (1)认证(Authentication)。
    (2)证书(Credentials)。
    (3)令牌(Token)。
    (4)项目(project)。
    (5)用户(User)。
    (6)角色(Role)。
    使用云服务的用户不局限于人,也可以是系统或者服务。用户可以通过指定的令牌登 录系统并调用资源。用户可以被分配到特定项目并执行项目相关操作。
  2. 认证服务流程
    用户请求云主机的流程涉及认证Keystone服务、计算Nova服务、镜像Glance服务,在服务流程中,令牌(Token)作为流程认证传递,具体服务申请认证机制流程,如图
    openstack云平台搭建与使用

实验步骤

  • 配置Keystone应用环境
    • 在安装Keystone服务之前需要指定用户名和密码,通过认证服务来进行身份认证,在开始阶段是没有创建任何的用户的,所以必须使用授权令牌和服务的访问接口来创建特定进行身份认证的用户,之后需要创建一个管理用户的环境变量(admin-openrc.sh)来管理最终的凭证和终端。
    • 在安装Keystone服务之后,产生的主配置文件存放在/etc/keystone 目录中,名为 keystone.conf,在配置文件中需要配置初始的Token值和数据库的连接地址。
    • Keystone服务安装完毕,可以通过请求身份令牌来验证服务,具体命令如下,(以 admin 用户访问http://xiandian:35357/v3地址获取token值)
[root@controller ~]# openstack --os-project-name admin --os-domain-name xiandian --os-username admin --os-password 000000 --os-auth-url http://localhost:35357/v3 token issue
+------------+----------------------------------------------------------------------------------------------+
| Field      | Value                                                                                        |
+------------+----------------------------------------------------------------------------------------------+
| expires    | 2022-05-28T08:24:46.438626Z                                                                  |
| id         | gAAAAABikc4-R-jrAhRef15-hrQxBUPw0zPMzi8WOs-ZhDazFYpPNE-                                      |
|            | M2SVktdWfAuViYImyuHFYKwyFsGe5nxnAkcfnElQZYT3nFC-eRNJAH2JJZ496i0-TCGUv4R-F55vmSSVHYO3kLN1Mj-  |
|            | cdhYjJbW-REAEY2BAUqJFckfzxT4yEe67Om1M                                                        |
| project_id | 81ea07237d034c4e99369581c1b4db89                                                             |
| user_id    | 2bee802355b24023968dc6e4bd11c983                                                             |
+------------+----------------------------------------------------------------------------------------------+

**注意:如执行错误,请等待2-3秒后重新执行该命令。 **

  • 管理用户验证
    OpenStack 的用户(user)包括云平台使用者、服务以及系统。用户通过认证登录系统并 调用资源。为方便管理,用户被分配到一个或多个项目(project),项目是用户的集合。为给用户分配不同的权限,Keystone设置了角色(Role),角色是代表用户可以访问的资源等权限。用户可以被添加到任意一个全局的或项目内的角色中。在全局的角色中,用户的角色权限作用于所有的用户,即可以对所有的用户执行角色规定的权限;项目内的角色,用户仅能在当前项目内执行角色规定的权限,下面介绍几种常见操作。
    • 创建用户
      在openstack系统中进行操作需生效环境变量,执行命令如下。
    • 创建一个名称为“alice”账户,密码为“mypassword123”,邮箱为“alice@example.com”。执行命令如下。
[root@controller ~]# openstack user create --password mypassword123 --email alice@example.com --domain demo alice
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | alice@example.com                |
| enabled   | True                             |
| id        | 682c3257d62748028d1a1e7cc7ac6efb |
| name      | alice                            |
+-----------+----------------------------------+
  • 创建项目
    一个项目就是一个项目、团队或组织,当请求OpenStack服务时,你必须定义一个项 目。例如,查询计算服务正在运行的云主机实例列表
    创建一个名为“acme”项目
[root@controller ~]# openstack project create --domain demo acme
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | 179cab81dcae4692afee5add4a6399a3 |
| is_domain   | False                            |
| name        | acme                             |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
  • 创建角色
    角色限定了用户的操作权限。例如,创建一个角色“compute-user”,执行命令如下。
[root@controller ~]# openstack role create compute-user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | c7c1a505197246d3a20678746acc04cd |
| name      | compute-user                     |
+-----------+----------------------------------+
  • 绑定用户和项目权限
    添加的用户需要分配一定的权限,这就需要把用户关联绑定到对应的项目和角色。例如,给用户“alice”分配“acme”项目下的“compute-user”角色,执行命令如下。
[root@controller ~]# openstack role add --user alice --project acme compute-user

创建项目、用户并绑定用户权限

概述

权限管理主要用于用户的管理授权。服务目录,类似一个服务总线,或者说是整个OpenStack框架的注册表。认证模块提供API服务、token令牌机制、服务目录、规则和认证发布等功能。

实验目标

  • 公司有100名员工,其中50名为项目研发部(研发环境),45名为业务部(办公环境),5人IT工程部(运维环境)。
  • 根据企业人员部门分配,现构建3个项目,100个用户,管理人员拥有管理员权限,其余人员拥有普通用户权限,规划表见表
    openstack云平台搭建与使用

实验环境

大数据实训平台、IaaS_Mitaka_ALLinone.qcow2。
【实验准备】
OpenStack服务(service),如Nova、Glance、Swift、Heat、Ceilometer 等。

  • Nova 提供 云计算服务
  • Glance提供镜像管理服务
  • Swift提供对象存储服务
  • Heat 提供资源编排服务
  • Ceilometer提供告警计费服务
  • Cinder提供块存储服务
  • 为了方便用户调用这些服务,OpenStack为每一个服务提供一个用于访问的端点(endpoint)
  • 如果需要访问服务,则必须知道它的端点。端点一般为url,我们知道服务的url,就可以访问它。
  • 端点的url具有public、private和admin三种权限。
  • public url可以被全局访问,private url只能被局域网访问,admin url被从常规的访问中分离出来。

常用的服务管理命令

(1)创建服务

# openstack service create

功能:创建服务。
格式:

# openstack service create --name <name> <type>
[--description <description>]

参数说明。
–name 创建的服务名称。
创建服务类型。
–description 创建服务描述。

(2)创建服务访问端点

# openstack endpoint create

功能:创建服务访问的API端点。
格式:

# openstack endpoint create [--region <region-id>] 
<service> <interface> <url>
[--enable | --disable]

参数说明。
–region 创建端点的区域 id。
端点创建的使用服务名称。

(3)查询服务目录

# source /etc/keystone/admin-openrc.sh 

[root@controller ~]# openstack catalog list
+----------+--------------+-----------------------------------------------------------------------------+
| Name     | Type         | Endpoints                                                                   |
+----------+--------------+-----------------------------------------------------------------------------+
| swift    | object-store | RegionOne                                                                   |
|          |              |   internal: http://controller:8080/v1/AUTH_81ea07237d034c4e99369581c1b4db89 |
|          |              | RegionOne                                                                   |
|          |              |   admin: http://controller:8080/v1                                          |
|          |              | RegionOne                                                                   |
|          |              |   public: http://controller:8080/v1/AUTH_81ea07237d034c4e99369581c1b4db89   |
|          |              |                                                                             |
| glance   | image        | RegionOne                                                                   |
|          |              |   internal: http://controller:9292                                          |
|          |              | RegionOne                                                                   |
|          |              |   admin: http://controller:9292                                             |
|          |              | RegionOne                                                                   |
|          |              |   public: http://controller:9292                                            |
|          |              |                                                                             |
| cinder   | volume       | RegionOne                                                                   |
|          |              |   internal: http://controller:8776/v1/81ea07237d034c4e99369581c1b4db89      |
|          |              | RegionOne                                                                   |
|          |              |   admin: http://controller:8776/v1/81ea07237d034c4e99369581c1b4db89         |
|          |              | RegionOne                                                                   |
|          |              |   public: http://controller:8776/v1/81ea07237d034c4e99369581c1b4db89        |
|          |              |                                                                             |
| nova     | compute      | RegionOne                                                                   |
|          |              |   admin: http://controller:8774/v2.1/81ea07237d034c4e99369581c1b4db89       |
|          |              | RegionOne                                                                   |
|          |              |   internal: http://controller:8774/v2.1/81ea07237d034c4e99369581c1b4db89    |
|          |              | RegionOne                                                                   |
|          |              |   public: http://controller:8774/v2.1/81ea07237d034c4e99369581c1b4db89      |
|          |              |                                                                             |
| cinderv2 | volumev2     | RegionOne                                                                   |
|          |              |   public: http://controller:8776/v2/81ea07237d034c4e99369581c1b4db89        |
|          |              | RegionOne                                                                   |
|          |              |   admin: http://controller:8776/v2/81ea07237d034c4e99369581c1b4db89         |
|          |              | RegionOne                                                                   |
|          |              |   internal: http://controller:8776/v2/81ea07237d034c4e99369581c1b4db89      |
|          |              |                                                                             |
| keystone | identity     | RegionOne                                                                   |
|          |              |   internal: http://controller:5000/v3                                       |
|          |              | RegionOne                                                                   |
|          |              |   admin: http://controller:35357/v3                                         |
|          |              | RegionOne                                                                   |
|          |              |   public: http://controller:5000/v3                                         |
|          |              |                                                                             |
| neutron  | network      | RegionOne                                                                   |
|          |              |   public: http://controller:9696                                            |
|          |              | RegionOne                                                                   |
|          |              |   admin: http://controller:9696                                             |
|          |              | RegionOne                                                                   |
|          |              |   internal: http://controller:9696                                          |
|          |              |                                                                             |
+----------+--------------+-----------------------------------------------------------------------------+

Service Catalog(服务目录)是Keystone为OpenStack提供的一个REST API 端点列表,并以此作为决策参考。显示某个service信息,命令格式如下:

# openstack catalog show <service> 

参数是指显示某个service。

实验步骤

  1. 创建项目
    创建项目研发部(research and development department)名为RD_Dept的项目、业务部(business department)名为BS_Dept的项目、IT 工程部(engineering department)名为IT_Dept的项目。
    在openstack系统中进行操作需生效环境变量,执行命令如下:
[root@controller ~]# source /etc/keystone/admin-openrc.sh
  • 创建一个名为BS_Dept的项目,执行命令如下:
[root@controller ~]# source /etc/keystone/admin-openrc.sh
[root@controller ~]# openstack project create "BS_Dept" --domain demo --description 业务部门
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | 业务部门                         |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | a7576f6ab86740cab6c7e3130ccecd82 |
| is_domain   | False                            |
| name        | BS_Dept                          |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
  • 获取BS_Dept项目详细信息,执行命令如下:
[root@controller ~]# openstack project show BS_Dept
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | 业务部门                         |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | a7576f6ab86740cab6c7e3130ccecd82 |
| is_domain   | False                            |
| name        | BS_Dept                          |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
  • 通过脚本为工程部创建一个名为IT_Dept的项目。
  • 编写Keystone-manage-project.sh脚本,执行命令如下:
[root@controller ~]# vi Keystone-manage-project.sh
#!/bin/bash
if [  -f "/etc/keystone/admin-openrc.sh" ];then
        source /etc/keystone/admin-openrc.sh
else
        env_path=`find / -name admin-openrc.sh`
        source $env_path
fi
    echo -e "\033[31mPlease Input new Project name : eg (openstack)\033[0m "
        read New_Project_Name
        if [ ! -n "$New_Project_Name" ];then
            echo -e "\033[31mProject Name Is Empty,Exit\033[0m "
            exit 1
        fi
    echo -e "\033[31mPlease Input Project description : eg (openstack description)\033[0m "
        read New_Project_des
        if [ ! -n "$New_Project_des" ];then
             echo -e "\033[31mProject  Description  Is Empty,Exit\033[0m "
             exit 1
        fi
        T_Start=`echo $New_Project_Range |awk -F- '{ print $1}'| awk '{print $0+0}'`
        N_Start=`printf "%03d\n" $T_Start`
        T_End=`echo $New_Project_Range |awk -F- '{ print $2}' | awk '{print $0+0}'`
        N_End=`printf "%03d\n" $T_End`
        T_End1=$[$T_End+1]
               openstack project create --domain $OS_PROJECT_DOMAIN_NAME --description "Service Project" $New_Project_Name
               echo -e "\033[31mKeystone All Project List\033[0m "
               openstack project list 


~
"Keystone-manage-project.sh" [New] 27L, 1211C written
[root@controller ~]# chmod +x Keystone-manage-project.sh
[root@controller ~]# ./Keystone-manage-project.sh
Please Input new Project name : eg (openstack) 
IT_DEpt^H^H^HePt^H^H^C
[root@controller ~]# ./Keystone-manage-project.sh
Please Input new Project name : eg (openstack) 
IT_Dept
Please Input Project description : eg (openstack description) 
IT工程部门
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | d9a68590f02344e48664db501542cec2 |
| is_domain   | False                            |
| name        | IT_Dept                          |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
Keystone All Project List 
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 09ecb096e1034e5b9e5166adfc15a6f0 | service |
| 179cab81dcae4692afee5add4a6399a3 | acme    |
| 5e04233827f848228c4a5a238c1e780b | demo    |
| 81ea07237d034c4e99369581c1b4db89 | admin   |
| a7576f6ab86740cab6c7e3130ccecd82 | BS_Dept |
| d9a68590f02344e48664db501542cec2 | IT_Dept |
+----------------------------------+---------+
  1. 创建用户账号
  • 为项目研发部创建50个用户,分别名为rduser001~rduser050,密码为 cloudpasswd
  • 为业务部创建45个用户,分别名为bsuser001~bsuser045,密码为 cloudpasswd
  • 为IT工程部创建5个用户,分别名为ituser001~ituser005,密码为cloudpasswd。

创建用户rduser002,密码为cloudpasswd,执行命令如下:

[root@controller ~]# openstack user create rduser002 --password cloudpasswd --domain demo --email rduser002@example.com
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | rduser002@example.com            |
| enabled   | True                             |
| id        | 41cb35e9b08c4846a88e0277547a6fbd |
| name      | rduser002                        |
+-----------+----------------------------------+
  • 通过执Shell脚本Keystone-manage-user.sh为项目研发部创建用户 rduser003~rduser050,密码为cloudpasswd。
  • 编写Keystone-manage-user.sh脚本,执行命令如下:
[root@controller ~]# vi  Keystone-manage-user.sh
#!/bin/bash
if [  -f "/etc/keystone/admin-openrc.sh" ];then
        source /etc/keystone/admin-openrc.sh
else
        env_path=`find / -name admin-openrc.sh`
        source $env_path
fi
        echo -e "\033[31mPlease Input New User Name : eg (username)\033[0m "
        read New_User_Name
                if [ ! -n "$New_User_Name" ];then
                         echo -e "\033[31mUser Name Is Empty,Exit\033[0m "
                         exit 1
                fi
        echo -e "\033[31mPlease Input User Password: eg (000000)\033[0m "
        read New_User_Pw
                if [ ! -n "$New_User_Pw" ];then
                 echo -e "\033[31mPasswd Is Empty,Exit\033[0m "
                 exit 1
           fi
        echo -e "\033[31mPlease Input User Email Address,If don't need  press enter: eg (openstack.com)\033[0m "
        read New_User_Email
                if [ ! -n "$New_User_Email" ];then
                 echo -e "\033[31mEmail Address Is Empty,Exit\033[0m "
                 exit 1
           fi
    echo -e "\033[31mPlease Input User   Beginning And End  Number: eg (001-002)\033[0m "
        read New_User_Range
            if [ ! -n "$New_User_Range" ];then
                    echo -e "\033[31mNumber Is Empty,Exit\033[0m "
                    exit 1
                else
                    U_Start=`echo $New_User_Range |awk -F- '{ print $1}'| awk '{print $0+0}'`
                    N_U_Start=`printf "%03d\n" $U_Start`
                    U_End=`echo $New_User_Range |awk -F- '{ print $2}' | awk '{print $0+0}'`
                    N_U_End=`printf "%03d\n" $U_End`
                    U_End1=$[$U_End+1]
                    IF_username_exists=`openstack user list | sed '1,3d'|sed '$d'|awk '{print $4}'`
                        for username_exists in $IF_username_exists;do
                            for (( username_number = $U_Start;username_number < $U_End1;username_number++ ));do
                                real_username_number=`printf "%03d\n" $username_number`
                                    if [ $New_User_Name$real_username_number == $username_exists ];then
                                        echo -e "\033[31mUser $New_User_Name$real_username_number is exists\033[0m "
                                        exit 1
                                    fi
                            done
                        done
            fi
        echo -e "\033[31mPlease enter the User belong Roles Name, Press enter for '_member_' role by default: eg (admin)\033[0m "
        read New_User_Role
            if [ ! -n "$New_User_Role" ];then
                    New_User_Role=_member_
           else
                    IF_Role_Exists=`openstack role list |sed '1,3d' |sed '$d' |awk '{print $4}'`
                   if  echo "${IF_Role_Exists[@]}" | grep -w "$New_User_Role" >> /dev/null ; then
                           echo "exists" >> /dev/null
                   else
                          echo -e "\033[31mRole $New_User_Role not exists\033[0m "
                          exit 1
                  fi
          fi

    echo -e "\033[31mPlease Input User belong Project Name: eg (projectname)\033[0m "
        read New_User_Tenant
                if [ ! -n "$New_User_Tenant" ];then
                         echo -e "\033[31mProject Name Is Empty,Exit\033[0m "
                         exit 1
            else
                    IF_Tenant_Exists=`openstack project list |sed '1,3d' |sed '$d' |awk '{print $4}'`
                   if  echo "${IF_Tenant_Exists[@]}" | grep -w "$New_User_Tenant" >> /dev/null ; then
                           echo "exists" >> /dev/null
                   else
                          echo -e "\033[31mProject $New_User_Tenant not exists\033[0m "
                          exit 1
                  fi
             fi
                            for (( username_number = $U_Start;username_number< $U_End1;username_number++ ));do
                                real_username_number=`printf "%03d\n" $username_number`
                                openstack user create --domain $OS_PROJECT_DOMAIN_NAME --password $New_User_Pw $New_User_Name$real_username_number --email $New_User_Name$real_username_number@$New_User_Email
                                openstack role add --project $New_User_Tenant --user $New_User_Name$real_username_number $New_User_Role
                            done
                                echo -e "\033[31mKeystone All User List\033[0m "
                                openstack user list
"Keystone-manage-user.sh" [New] 82L, 4518C written
[root@controller ~]# chmod +x Keystone-manage-user.sh

  • 创建研发部门项目,执行命令如下:
[root@controller ~]#  openstack project create "RD_Dept" --domain demo  --description 研发部门
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | 研发部门                         |
| domain_id   | 942f35ec481245a48d6100c6683a5fcb |
| enabled     | True                             |
| id          | 93ae746f87744d6d9a2056ca08f602c8 |
| is_domain   | False                            |
| name        | RD_Dept                          |
| parent_id   | 942f35ec481245a48d6100c6683a5fcb |
+-------------+----------------------------------+
  • 执行该脚本。命令行内按提示输入用户名称、用户密码、电子邮件域名地址、用户角色(这里只能赋予一个角色)和用户所属部门。
+-------------+----------------------------------+
[root@controller ~]# ./Keystone-manage-user.sh 
Please Input New User Name : eg (username) 
rduser
Please Input User Password: eg (000000) 
cloudpasswd
Please Input User Email Address,If don't need  press enter: eg (openstack.com) 
example.com
Please Input User   Beginning And End  Number: eg (001-002) 
003-050
Please enter the User belong Roles Name, Press enter for '_member_' role by default: eg (admin) 
admin
Please Input User belong Project Name: eg (projectname) 
RD_Dept
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | rduser003@example.com            |
| enabled   | True                             |
| id        | ea6bd13fff4344019ee57bbc838b25c9 |
| name      | rduser003                        |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | rduser004@example.com            |
| enabled   | True                             |
| id        | e4a66855bc3042cab24588d155c98826 |
| name      | rduser004                        |
+-----------+----------------------------------+
Keystone All User List 
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| 02a018e6ac3441f2835c817c7a1a207b | rduser005 |
| 03ba69a427474fbaac7599c942f37330 | rduser039 |
| 0499bbd56f72407eaca9f676c3a4bcfc | rduser017 |
| 065a379909d34891add243f46d060e9b | rduser043 |
| 0b744fa5759d43b5ade55586e0eb0af1 | rduser007 |
| 13e0d9dcd4564b7fafaf909b8216262d | rduser034 |
| 26c7ddc343fa4c91a1f682d21be1da7d | rduser049 |
| 2bee802355b24023968dc6e4bd11c983 | admin     |
| 2c4c0a61075a440d8f9783edd86844c6 | rduser040 |
| 2dd5669948a3409aa3296a3057cb0b3a | rduser023 |
| 375024d3247540e5b9048671fe577068 | rduser046 |
| 3a86600a0e5e47d4a6c67a8f5a9f701e | rduser021 |
| 3c70e43caefd4623b7e8a2fbd7e52fd2 | rduser035 |
| 41cb35e9b08c4846a88e0277547a6fbd | rduser002 |
| 4c9e1c3650da4b8a951ca08c0f6f2b3a | rduser026 |
| 520f96d6d8d44ddbbeb5df6573f11da7 | rduser006 |
| 563366420dc44ea89661bc2a8fe33f0b | rduser029 |
| 56e7081689b044cbbb4a1a66ef2132e7 | rduser014 |
| 6099f2288ef34dc5b4d541a3cf85f849 | rduser042 |
| 682c3257d62748028d1a1e7cc7ac6efb | alice     |
| 6d65072d602742cb9adff407a3ad1c94 | rduser045 |
| 70c4160866284154b56bf203171cfd90 | neutron   |
| 717f15d187f14fbca1f36a911e1162a8 | rduser019 |
| 75b1a57e0bf54f1c9d6a5e3a220d3247 | rduser027 |
| 818fbea675314d33a542ee58178c5424 | rduser016 |
| 82b97aaa126b4732b12e5af608f9c07c | rduser018 |
| 84f21a5bbd3846668d21c47a4077ec50 | rduser024 |
| 886b421475b045718fd17a090e7c8226 | rduser032 |
| 8aebf5350d1947f3bac7de41be461219 | nova      |
| 8aefa1e8548f49a2b3abb3884dca2d1a | rduser050 |
| 8e3671518d6b423dbfbf55ffa8249df8 | rduser033 |
| 8e695b3ca86c4a4da7968baeef3c6864 | swift     |
| 95ef2ac87c874250abb3302351c7b63a | rduser041 |
| a4362e11eb9749799228208bbc7660ea | rduser036 |
| a57a5017587b411d871e5f9b312f35ce | cinder    |
| b261500093da4de59c5f931aa0b189d4 | rduser048 |
| b82cc14513a64876a986dcbe716b1801 | rduser038 |
| b88a0cd21e784707ba90a2c0555342d1 | rduser022 |
| c403710a858947aca84d175f31dbf945 | rduser025 |
| c4a2432ee6f64b94b3689adf2684718b | rduser020 |
| c73dbc7aab41451f8de7f06b7bec0c76 | rduser013 |
| c9faecd63f034ba6b84c82cdd284f941 | rduser028 |
| cfa8e2ebd536453daa6218600f7e5dc0 | rduser037 |
| d58cec1f07d94eec8f9e3f62570e56e4 | rduser015 |
| d5f1679ee5a74233b2cd46c74f38f0c0 | rduser008 |
| d88027b6b6944427bda9557318b8c979 | rduser030 |
| e46f397e0f0847be8cfaf173db5529db | rduser011 |
| e4a66855bc3042cab24588d155c98826 | rduser004 |
| ea6bd13fff4344019ee57bbc838b25c9 | rduser003 |
| ebb2d2324b054189acf2bd5a62b6555a | demo      |
| ebc7727d5cb84d2494359cdd235617d9 | glance    |
| f445e8dcdd334b8d80b66c8c256456a7 | rduser010 |
| f603db86e0604034a3b6f1d0205d0dcb | rduser031 |
| f6b329cd87d6415a83ee7a80e292f7f3 | rduser012 |
| f936aead65bb4a1fad2ccc861cb8b359 | rduser044 |
| fc1ee42060ba42bc9962868b3c86c67a | rduser009 |
| fe5ee9633d574c40848732382be797ea | rduser047 |
+----------------------------------+-----------+
  • 通过执行Shell 脚本为IT工程部创建用户ituser001~ituser005,密码为 cloudpasswd。
[root@controller ~]# ./Keystone-manage-user.sh 
Please Input New User Name : eg (username) 
ituser
Please Input User Password: eg (000000) 
cloudpasswd
Please Input User Email Address,If don't need  press enter: eg (openstack.com) 
example.com
Please Input User   Beginning And End  Number: eg (001-002) 
001-005
Please enter the User belong Roles Name, Press enter for '_member_' role by default: eg (admin) 
admin
Please Input User belong Project Name: eg (projectname) 
IT_Dept
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | ituser001@example.com            |
| enabled   | True                             |
| id        | ed089ab3014d4c0393439fa6b8bf0f2e |
| name      | ituser001                        |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | ituser002@example.com            |
| enabled   | True                             |
| id        | 8dfceea3982e4bf3875fa559b2e02b5a |
| name      | ituser002                        |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | ituser003@example.com            |
| enabled   | True                             |
| id        | 4fb78b56fcb14175885ea188da68a468 |
| name      | ituser003                        |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | ituser004@example.com            |
| enabled   | True                             |
| id        | 212ae123a4a345c9b05c3cf0852b2197 |
| name      | ituser004                        |
+-----------+----------------------------------+
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 942f35ec481245a48d6100c6683a5fcb |
| email     | ituser005@example.com            |
| enabled   | True                             |
| id        | 1345c045e91e428eb64e355bbae98505 |
| name      | ituser005                        |
+-----------+----------------------------------+
Keystone All User List 
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| 02a018e6ac3441f2835c817c7a1a207b | rduser005 |
| 03ba69a427474fbaac7599c942f37330 | rduser039 |
| 0499bbd56f72407eaca9f676c3a4bcfc | rduser017 |
| 065a379909d34891add243f46d060e9b | rduser043 |
| 0b744fa5759d43b5ade55586e0eb0af1 | rduser007 |
| 1345c045e91e428eb64e355bbae98505 | ituser005 |
| 13e0d9dcd4564b7fafaf909b8216262d | rduser034 |
| 212ae123a4a345c9b05c3cf0852b2197 | ituser004 |
| 26c7ddc343fa4c91a1f682d21be1da7d | rduser049 |
| 2bee802355b24023968dc6e4bd11c983 | admin     |
| 2c4c0a61075a440d8f9783edd86844c6 | rduser040 |
| 2dd5669948a3409aa3296a3057cb0b3a | rduser023 |
| 375024d3247540e5b9048671fe577068 | rduser046 |
| 3a86600a0e5e47d4a6c67a8f5a9f701e | rduser021 |
| 3c70e43caefd4623b7e8a2fbd7e52fd2 | rduser035 |
| 41cb35e9b08c4846a88e0277547a6fbd | rduser002 |
| 4c9e1c3650da4b8a951ca08c0f6f2b3a | rduser026 |
| 4fb78b56fcb14175885ea188da68a468 | ituser003 |
| 520f96d6d8d44ddbbeb5df6573f11da7 | rduser006 |
| 563366420dc44ea89661bc2a8fe33f0b | rduser029 |
| 56e7081689b044cbbb4a1a66ef2132e7 | rduser014 |
| 6099f2288ef34dc5b4d541a3cf85f849 | rduser042 |
| 682c3257d62748028d1a1e7cc7ac6efb | alice     |
| 6d65072d602742cb9adff407a3ad1c94 | rduser045 |
| 70c4160866284154b56bf203171cfd90 | neutron   |
| 717f15d187f14fbca1f36a911e1162a8 | rduser019 |
| 75b1a57e0bf54f1c9d6a5e3a220d3247 | rduser027 |
| 818fbea675314d33a542ee58178c5424 | rduser016 |
| 82b97aaa126b4732b12e5af608f9c07c | rduser018 |
| 84f21a5bbd3846668d21c47a4077ec50 | rduser024 |
| 886b421475b045718fd17a090e7c8226 | rduser032 |
| 8aebf5350d1947f3bac7de41be461219 | nova      |
| 8aefa1e8548f49a2b3abb3884dca2d1a | rduser050 |
| 8dfceea3982e4bf3875fa559b2e02b5a | ituser002 |
| 8e3671518d6b423dbfbf55ffa8249df8 | rduser033 |
| 8e695b3ca86c4a4da7968baeef3c6864 | swift     |
| 95ef2ac87c874250abb3302351c7b63a | rduser041 |
| a4362e11eb9749799228208bbc7660ea | rduser036 |
| a57a5017587b411d871e5f9b312f35ce | cinder    |
| b261500093da4de59c5f931aa0b189d4 | rduser048 |
| b82cc14513a64876a986dcbe716b1801 | rduser038 |
| b88a0cd21e784707ba90a2c0555342d1 | rduser022 |
| c403710a858947aca84d175f31dbf945 | rduser025 |
| c4a2432ee6f64b94b3689adf2684718b | rduser020 |
| c73dbc7aab41451f8de7f06b7bec0c76 | rduser013 |
| c9faecd63f034ba6b84c82cdd284f941 | rduser028 |
| cfa8e2ebd536453daa6218600f7e5dc0 | rduser037 |
| d58cec1f07d94eec8f9e3f62570e56e4 | rduser015 |
| d5f1679ee5a74233b2cd46c74f38f0c0 | rduser008 |
| d88027b6b6944427bda9557318b8c979 | rduser030 |
| e46f397e0f0847be8cfaf173db5529db | rduser011 |
| e4a66855bc3042cab24588d155c98826 | rduser004 |
| ea6bd13fff4344019ee57bbc838b25c9 | rduser003 |
| ebb2d2324b054189acf2bd5a62b6555a | demo      |
| ebc7727d5cb84d2494359cdd235617d9 | glance    |
| ed089ab3014d4c0393439fa6b8bf0f2e | ituser001 |
| f445e8dcdd334b8d80b66c8c256456a7 | rduser010 |
| f603db86e0604034a3b6f1d0205d0dcb | rduser031 |
| f6b329cd87d6415a83ee7a80e292f7f3 | rduser012 |
| f936aead65bb4a1fad2ccc861cb8b359 | rduser044 |
| fc1ee42060ba42bc9962868b3c86c67a | rduser009 |
| fe5ee9633d574c40848732382be797ea | rduser047 |
+----------------------------------+-----------+
  • 通过Shell命令行将项目研发部用户rduser002绑定普通用户权限,执行命令如下:
[root@controller ~]# openstack role create  _member_
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 9fe2ff9ee4384b1894a90878d3e92bab |
| name      | _member_                         |
+-----------+----------------------------------+
[root@controller ~]# openstack role add --user rduser002 --project RD_Dept _member_
[root@controller ~]# openstack role list --user rduser002 --project RD_Dept
+----------------------------------+----------+---------+-----------+
| ID                               | Name     | Project | User      |
+----------------------------------+----------+---------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | RD_Dept | rduser002 |
+----------------------------------+----------+---------+-----------+
  • 编写 脚本将项目IT工程部用ituser001~ituser005绑定普通用户和管理员用户权限
[root@controller ~]# vi  Keystone-manage-add-role.sh
#!/bin/bash
# 1st keystone
if [  -f "/etc/keystone/admin-openrc.sh" ];then
        source /etc/keystone/admin-openrc.sh
else
env_path=`find / -name admin-openrc.sh`
        source $env_path
fi
        echo -e "\033[31mPlease Enter The User Name\033[0m "
        read Add_Role_Username
        echo -e "\033[31mPlease Input User  Beginning And End  Number: eg (001-002)\033[0m "
        read Add_User_Range
                if [ ! -n "$Add_User_Range" ];then
                    Add_User_Range=$Add_User_Range
                else
                    A_R_Start=`echo $Add_User_Range |awk -F- '{ print $1}'| awk '{print $0+0}'`
                    A_R_U_Start=`printf "%03d\n" $A_R_Start`
                    A_R_End=`echo $Add_User_Range |awk -F- '{ print $2}' | awk '{print $0+0}'`
                    A_R_U_End=`printf "%03d\n" $A_R_End`
                    A_R_End1=$[$A_R_End+1]
                fi
        echo -e "\033[31mPlease Enter the Project Name\033[0m "
        read Add_Role_Tenant
            IF_Tenant_Exists=`openstack project list |sed '1,3d' |sed '$d' |awk '{print $4}'`
            if  echo "${IF_Tenant_Exists[@]}" | grep -w "$Add_Role_Tenant" >> /dev/null ; then
                echo "exists" >> /dev/null
            else
                echo -e "\033[31mProject $Add_Role_Tenant not exists\033[0m "
                exit 1
            fi
        echo -e "\033[31mPlease Enter the  Role Name\033[0m "
         read Add_Role_New_Role
            IF_Role_Exists=`openstack role list |sed '1,3d' |sed '$d' |awk '{print $4}'`
            if  echo "${IF_Role_Exists[@]}" | grep -w "$Add_Role_New_Role" >> /dev/null ; then
                 echo "exists" >> /dev/null
            else
                 echo -e "\033[31mRole $Add_Role_New_Role not exists\033[0m "
                 exit 1
            fi
        for (( username_number=$A_R_Start;username_number<$A_R_End1;username_number++ ));do
                real_username_number=`printf "%03d\n" $username_number`
                openstack role add --project $Add_Role_Tenant --user $Add_Role_Username$real_username_number $Add_Role_New_Role
                echo -e "\033[31mKeystone user $Add_Role_Username$real_username_number Project $Add_Role_Tenant role list\033[0m "
                openstack role assignment list --user $Add_Role_Username$real_username_number --project $Add_Role_Tenant
        done
~
~
~
~
"Keystone-manage-add-role.sh" [New] 45L, 2377C written
[root@controller ~]# chmod +x Keystone-manage-add-role.sh
[root@controller ~]# ./Keystone-manage-add-role.sh
Please Enter The User Name 
ituser
Please Input User  Beginning And End  Number: eg (001-002) 
001-005
Please Enter the Project Name 
IT_Dept
Please Enter the  Role Name 
admin
Keystone user ituser001 Project IT_Dept role list 
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| Role                    | User                    | Group | Project                  | Domain | Inherited |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| 28e00fea5f4344edaa093f6 | ed089ab3014d4c0393439fa |       | d9a68590f02344e48664db50 |        | False     |
| 17fc55d5a               | 6b8bf0f2e               |       | 1542cec2                 |        |           |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
Keystone user ituser002 Project IT_Dept role list 
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| Role                    | User                    | Group | Project                  | Domain | Inherited |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| 28e00fea5f4344edaa093f6 | 8dfceea3982e4bf3875fa55 |       | d9a68590f02344e48664db50 |        | False     |
| 17fc55d5a               | 9b2e02b5a               |       | 1542cec2                 |        |           |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
Keystone user ituser003 Project IT_Dept role list 
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| Role                    | User                    | Group | Project                  | Domain | Inherited |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| 28e00fea5f4344edaa093f6 | 4fb78b56fcb14175885ea18 |       | d9a68590f02344e48664db50 |        | False     |
| 17fc55d5a               | 8da68a468               |       | 1542cec2                 |        |           |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
Keystone user ituser004 Project IT_Dept role list 
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| Role                    | User                    | Group | Project                  | Domain | Inherited |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| 28e00fea5f4344edaa093f6 | 212ae123a4a345c9b05c3cf |       | d9a68590f02344e48664db50 |        | False     |
| 17fc55d5a               | 0852b2197               |       | 1542cec2                 |        |           |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
Keystone user ituser005 Project IT_Dept role list 
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| Role                    | User                    | Group | Project                  | Domain | Inherited |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+
| 28e00fea5f4344edaa093f6 | 1345c045e91e428eb64e355 |       | d9a68590f02344e48664db50 |        | False     |
| 17fc55d5a               | bbae98505               |       | 1542cec2                 |        |           |
+-------------------------+-------------------------+-------+--------------------------+--------+-----------+

可以看到创建出来的用户,角色,项目!
openstack云平台搭建与使用

镜像服务

概述

通过认证服务的学习,我们可以以不同的身份访问企业云平台,可以通过研发部的账户登录研发部,可以通过业务部访问业务部的资源,也可以通过IT工程部的身份登录查看整个系统的运行状况;下面我们继续学习镜像服务(Glance),了解这个组件是如何为平台的正常运行提供支撑的。

实验目标

  • 了解RabbitMQ的基本概念。
  • 理解镜像服务的服务流程和工作机制。
  • 掌握镜像服务的基本操作以及常见运维。

实验环境

大数据实训平台、IaaS_Mitaka_ALLinone.qcow2。

实验准备

  1. 概述Glance镜像服务实现发现、注册、获取虚拟机镜像和镜像元数据,镜像数据支持存储多种的存储系统,可以是简单文件系统、对象存储系统等。
  2. Glance服务架构Glance镜像服务是典型的C/S 架构,
  • Glance架构包括 glance-Client、Glance和 Glance Store
  • Glance 主要包括 REST API、数据库抽象层(DAL)、域控制器(glance domain controller)和注册层(registry layer),Glance 使用集中数据库(Glance DB)在 Glance 各组件间直接共享数据。
  • 所有的镜像文件操作都通过 glance_store 库完成,glance_store 库提供了通用接口,对接后端外部不同存储。

实验步骤

  1. 查询Glance版本
    (1)检测Glance服务列表
[root@controller ~]#  source /etc/keystone/admin-openrc.sh 
[root@controller ~]# openstack-service  list | grep glance
openstack-glance-api
openstack-glance-registry

(2)检测Glance服务是否启动

[root@controller ~]# openstack-service status | grep glance
MainPID=1290 Id=openstack-glance-api.service ActiveState=active
MainPID=1270 Id=openstack-glance-registry.service ActiveState=active

(3)查询glance-control版本

[root@controller ~]# glance-control --version
12.0.0
  1. 创建镜像
    (1)下载CirrOS镜像
    (2)上传到/tmp/images
[root@controller ~]# mkdir /tmp/images
[root@controller ~]# cd /tmp/images
[root@controller images]# ls
cirros-0.3.4-x86_64-disk.img
[root@controller images]# mv cirros-0.3.4-x86_64-disk.img cirros-0.3.2-x86_64-disk.img
[root@controller images]# file cirros-0.3.2-x86_64-disk.img 
cirros-0.3.2-x86_64-disk.img: QEMU QCOW Image (v2), 41126400 bytes

(3)使用命令行创建镜像

[root@controller images]# glance image-create --name "cirros-0.3.2-x86_64" --disk-format qcow2 --container-format bare --progress < cirros-0.3.2-x86_64-disk.img 
[=============================>] 100%
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | ee1eca47dc88f4879d8a229cc70a07c6     |
| container_format | bare                                 |
| created_at       | 2022-05-28T09:05:40Z                 |
| disk_format      | qcow2                                |
| id               | 2fb8263b-383b-4d2d-ab92-526c08fbdcc2 |
| min_disk         | 0                                    |
| min_ram          | 0                                    |
| name             | cirros-0.3.2-x86_64                  |
| owner            | 81ea07237d034c4e99369581c1b4db89     |
| protected        | False                                |
| size             | 13287936                             |
| status           | active                               |
| tags             | []                                   |
| updated_at       | 2022-05-28T09:05:42Z                 |
| virtual_size     | None                                 |
| visibility       | private                              |
+------------------+--------------------------------------+

(4)查询镜像列表

[root@controller images]# glance image-list
+--------------------------------------+---------------------+
| ID                                   | Name                |
+--------------------------------------+---------------------+
| 8a3c6a4e-e7a5-4e25-83c4-6e93bbf6c2f2 | centos              |
| 2fb8263b-383b-4d2d-ab92-526c08fbdcc2 | cirros-0.3.2-x86_64 |
+--------------------------------------+---------------------+
  1. 更改镜像
    可以使用glance image-update更新镜像信息,可以使用glance image-delete删除镜像信息。 如果需要改变镜像启动硬盘最低要求值(min-disk)时,min-disk 默认单位为G。
    (1)获取镜像详细信息
    镜像的ID通过镜像列表查询得出,每个镜像的ID都不同。
[root@controller images]# glance image-list
+--------------------------------------+---------------------+
| ID                                   | Name                |
+--------------------------------------+---------------------+
| 8a3c6a4e-e7a5-4e25-83c4-6e93bbf6c2f2 | centos              |
| 2fb8263b-383b-4d2d-ab92-526c08fbdcc2 | cirros-0.3.2-x86_64 |
+--------------------------------------+---------------------+
[root@controller images]# glance image-show 2fb8263b-383b-4d2d-ab92-526c08fbdcc2
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | ee1eca47dc88f4879d8a229cc70a07c6     |
| container_format | bare                                 |
| created_at       | 2022-05-28T09:05:40Z                 |
| disk_format      | qcow2                                |
| id               | 2fb8263b-383b-4d2d-ab92-526c08fbdcc2 |
| min_disk         | 0                                    |
| min_ram          | 0                                    |
| name             | cirros-0.3.2-x86_64                  |
| owner            | 81ea07237d034c4e99369581c1b4db89     |
| protected        | False                                |
| size             | 13287936                             |
| status           | active                               |
| tags             | []                                   |
| updated_at       | 2022-05-28T09:05:42Z                 |
| virtual_size     | None                                 |
| visibility       | private                              |
+------------------+--------------------------------------+

(2)修改镜像启动硬盘所需大小

[root@controller images]# glance image-update --min-disk=1 2fb8263b-383b-4d2d-ab92-526c08fbdcc2
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | ee1eca47dc88f4879d8a229cc70a07c6     |
| container_format | bare                                 |
| created_at       | 2022-05-28T09:05:40Z                 |
| disk_format      | qcow2                                |
| id               | 2fb8263b-383b-4d2d-ab92-526c08fbdcc2 |
| min_disk         | 1                                    |
| min_ram          | 0                                    |
| name             | cirros-0.3.2-x86_64                  |
| owner            | 81ea07237d034c4e99369581c1b4db89     |
| protected        | False                                |
| size             | 13287936                             |
| status           | active                               |
| tags             | []                                   |
| updated_at       | 2022-05-28T09:57:47Z                 |
| virtual_size     | None                                 |
| visibility       | private                              |
+------------------+--------------------------------------+

(3)删除镜像文章来源地址https://www.toymoban.com/news/detail-408413.html

[root@controller images]# glance image-delete 2fb8263b-383b-4d2d-ab92-526c08fbdcc2
[root@controller images]# glance image-list
+--------------------------------------+--------+
| ID                                   | Name   |
+--------------------------------------+--------+
| 8a3c6a4e-e7a5-4e25-83c4-6e93bbf6c2f2 | centos |
+--------------------------------------+--------+

到了这里,关于openstack云平台搭建与使用的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Openstack服务器平台搭建手册(基于省赛资源搭建)

    Openstack版本:Q版本(chinaskills_cloud_iaas.iso)其他版本也可 配置需求:一台交换机(能通外网的交换机,这里不做网络的配置),两台服务器(CPU,内存和硬盘等资源越大越好),装有CentOS系统的启动盘(这里使用CentOS-7-x86_64-DVD-1804.iso作为例子) 1.交换机的配置 为三层交换机

    2024年04月16日
    浏览(42)
  • 国基北盛 openstack 云平台搭建保姆级步骤

    需要使用到的软件 VMware-workstation-full-16.1.2 链接:https://pan.baidu.com/s/1oauUyyfQFNAKboUXDu9QQg?pwd=6666 提取码:6666 SecureCRTPortable 链接:https://pan.baidu.com/s/1kXJsYeQuQeClJYNbgkIjRw?pwd=6666 提取码:6666 需要下载以下三种镜像 CentOS-7.5-x86_64-DVD-1804 链接:https://pan.baidu.com/s/1xy8PIGowJZeFQjCGO8mtCA?pwd=6

    2024年02月06日
    浏览(37)
  • Ubuntu20.04 搭建W版本OpenStack平台

    目录 一、基础环境配置 1.controller、compute配置网卡地址 2.配置域名解析 3.NTP时间同步 二、添加OpenStack-wallaby软件包及基本环境 1、OpenStack 服务的所有节点上添加软件包 2、Mysql数据库 3、Rabbitmq消息队列 4、Memcached 5、etcd环境部署 三、keystone服务 四、glance镜像服务 五、Placement环

    2024年02月15日
    浏览(37)
  • OpenStack云计算基础架构平台搭建(国基北盛):第一篇

    目录 文章介绍 一、VMware 的环境准备 二、安装操作系统(本文是Centos7) 1.引导项选择 2.语言选择 3.安装系统分区选择 4.root用户密码设置,及完成安装 三.设置操作系统基础环境 1.设置静态IP地址 2.克隆一台虚拟机 3.使用远程工具链接虚拟机 4.设置控制节点和计算节点服务器的

    2024年03月11日
    浏览(43)
  • 【openstack-T版 CentOS8 搭建记录 - VMware虚拟机上部署】 搭建过程 密码对照表

    这里的高亮部分是openstack-Train中 官网配置文档中的密码标识,在本专栏实操中密码对照表如下,在真实部署中,可以参照做密码对照表,方便管理。 Controller_Login_PASS : 0000@root #controller登录密码 Compute_Login_PASS :root@0001 #compute登录密码 Mysql_PASS : 0000 #数据库密码 RABBIT_PASS : opens

    2024年02月10日
    浏览(37)
  • 云计算平台OPENSTACK-IAAS服务搭建-双节点【详解】

    目录:导读 OPENSTACK云平台基础架构 步骤 1.搭建虚拟机: 2.IAAS搭建流程第一步 基础搭建: 本来要搭建4节点,控制节点,网路节点,计算节点,存储节点,但是。。。。。此次搭建使用双节点测试,更多集群部署请自行增加即可。 步骤 openstack云平台基础架构 1.搭建虚拟机:

    2024年02月03日
    浏览(56)
  • Re.从零开始--基于UbuntuServer 20.04-OpenStack平台搭建_

    前言: 本文档基于ubuntu-server20.04版本和OpenStack Victoria搭建openstack环境 部署最小化Ubuntu-openstack满足基本服务;本文档均采用手动环境搭建 ubuntu源指定为阿里源,故搭环境需连接外网; ens33 ens34 节点名称 Ubuntu-controller 192.168.100.10 192.168.200.10 controller Ubuntu-compute 192.168.100.20 192.

    2024年01月20日
    浏览(52)
  • CentOS系统环境搭建(九)——centos系统下使用docker部署项目

    centos系统环境搭建专栏🔗点击跳转 关于Docker-compose安装请看CentOS系统环境搭建(三)——Centos7安装DockerDocker Compose,该文章同样收录于centos系统环境搭建专栏。 采用前后端分离的形式部署。 使用Docker运行项目。 使用Docker Compose创建项目容器。 使用git管理项目的更新。 安装

    2024年02月12日
    浏览(47)
  • 使用Ansible部署openstack平台

    本周没啥博客水了,就放个云计算的作业上来吧(偷个懒) 案例描述 1、了解高可用OpenStack平台架构 2、了解Ansible部署工具的使用 3、使用Ansible工具部署OpenStack平台 案例目标 1、部署架构 Dashboard访问采用负载均衡方式,提供VIP地址,平台访问通过VIP地址进行访问,当其中一台

    2023年04月09日
    浏览(41)
  • openstack平台IsolatedHostsFilter的使用记录

    甲方的云平台新到了一些海光的机器,希望能加入到已有的计算集群里面。问题不大,但是有些小的点需要处理。 去年的时候使用海光7265部署过openstack云平台,平台运行没有问题,但是虚拟机运行有个小问题,处理之后发现只有使用海光定制的centos源文件制作的镜像才可以

    2024年02月12日
    浏览(45)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包