部署rocky版本的openstack

科技2025-08-28 13

体系结构：

环境：

控制节点：node1 1CPU 4G内存 ens33 192.168.77.132/24 ens34 192.168.8.128/24 计算节点：node2 1CPU 2G内存 ens33 192.168.77.133/24 ens34 192.168.8.129/24 安全：openssl rand -hex 10 网络：每个节点必须能够访问外网控制节点：提供者网络：192.168.77.132/24 管理网络：192.168.8.128/24 centos7.6 配置网卡，设置主机名，添加hosts，关闭防火墙和selinux 计算节点：提供者网络：192.168.77.133/24 管理网络：192.168.8.129/24 centos7.6 配置网卡，设置主机名，添加hosts，关闭防火墙和selinux 验证连接性：每个节点要能访问外网，通过hosts能够互相访问, NTP：控制节点：

yum install chrony vim /etc/chrony.conf server ntp1.aliyun.com iburst #添加阿里云的时间服务器 allow 192.168.8.0/24 systemctl enable chronyd.service systemctl start chronyd.service

其他节点：

yum install chrony vim /etc/chrony.conf server node1 iburst systemctl enable chronyd.service systemctl start chronyd.service

验证：控制节点上

chronyc sources 210 Number of sources = 2 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^- 192.0.2.11 2 7 12 137 -2814us[-3000us] +/- 43ms ^* 192.0.2.12 2 6 177 46 +17us[ -23us] +/- 68ms

其他节点上

chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* node1 3 9 377 421 +15us[ -87us] +/- 15ms

openstack packages: 在所有节点上

yum install centos-release-openstack-ussuri yum config-manager --set-enabled PowerTools yum upgrade yum install python-openstackclient #客户端 yum install openstack-selinux #关闭seLinux可不用安装

数据库：在控制节点上

yum install mariadb mariadb-server python2-PyMySQL vim /etc/my.cnf [mysqld] bind-address = 192.168.8.128 #绑定控制节点的管理IP default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 systemctl enable mariadb.service systemctl start mariadb.service mysql_secure_installation

安装消息队列：在控制节点上

yum install rabbitmq-server systemctl enable rabbitmq-server.service systemctl start rabbitmq-server.service rabbitmqctl add_user openstack 123qwe,./ #添加用户 rabbitmqctl set_permissions openstack ".*" ".*" ".*" #添加读写权限

安装缓存服务器：在控制节点上

yum install memcached python-memcached vim /etc/sysconfig/memcached OPTIONS="-l 127.0.0.1,::1,node1" systemctl enable memcached.service systemctl start memcached.service

安装etcd:

yum install etcd vim /etc/etcd/etcd.conf #[Member] ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="http://192.168.8.128:2380" #添加管理网络IP ETCD_LISTEN_CLIENT_URLS="http://192.168.8.128:2379" ETCD_NAME="controller" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.128:2380" ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.128:2379" ETCD_INITIAL_CLUSTER="controller=http://192.168.8.12810.0.0.11:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01" ETCD_INITIAL_CLUSTER_STATE="new" systemctl enable etcd systemctl start etcd

安装openstack

安装keystone：在控制节点上

mysql -u root -p MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123qwe,./'; yum install openstack-keystone httpd mod_wsgi vim /etc/keystone/keystone.conf [database] #... connection = mysql+pymysql://keystone:123qwe,./@node1/keystone [token] #... provider = fernet su -s /bin/sh -c "keystone-manage db_sync" keystone #填充身份服务数据库 keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone #初始化Fernet密钥存储库 keystone-manage credential_setup --keystone-user keystone --keystone-group keystone keystone-manage bootstrap --bootstrap-password 123qwe,./ \ --bootstrap-admin-url http://node1:5000/v3/ \ --bootstrap-internal-url http://node1:5000/v3/ \ --bootstrap-public-url http://node1:5000/v3/ \ --bootstrap-region-id RegionOne #引导身份服务 vim /etc/httpd/conf/httpd.conf ServerName node1 vim /usr/share/keystone/wsgi-keystone.conf ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ systemctl enable httpd.service systemctl start httpd.service export OS_USERNAME=admin export OS_PASSWORD=123qwe,./$ export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://node1:5000/v3 export OS_IDENTITY_API_VERSION=3 openstack domain create --description "An Example Domain" example openstack project create --domain default --description "Service Project" service openstack project create --domain default --description "Demo Project" myproject openstack user create --domain default --password-prompt myuser openstack role create myrole openstack role add --project myproject --user myuser myrole

验证：在控制节点上

unset OS_AUTH_URL OS_PASSWORD #取消环境变量 openstack --os-auth-url http://node1:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue #请求一个身份验证令牌 openstack --os-auth-url http://node1:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name myproject --os-username myuser token issue vim admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123qwe,./ export OS_AUTH_URL=http://node1:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 vim demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=123qwe,./ export OS_AUTH_URL=http://node1:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 . admin-openrc openstack token issue

安装glance: 在控制节点上

mysql -u root -p MariaDB [(none)]> CREATE DATABASE glance; MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY '123qwe,./; MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '123qwe,./'; . admin-openrc openstack user create --domain default --password-prompt glance openstack role add --project service --user glance admin openstack service create --name glance --description "OpenStack Image" image openstack endpoint create --region RegionOne image public http://node1:9292 openstack endpoint create --region RegionOne image internal http://node1:9292 openstack endpoint create --region RegionOne image admin http://node1:9292 yum install openstack-glance vim /etc/glance/glance-api.conf [database] #... connection = mysql+pymysql://glance:123qwe,./@node1/glance [keystone_authtoken] #... www_authenticate_uri = http://node1:5000 auth_url = http://node1:5000 memcached_servers = node1:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = glance password = 123qwe,./ [paste_deploy] #... flavor = keystone [glance_store] #... stores = file,http default_store = file filesystem_store_datadir = /var/lib/glance/images/ vim /etc/glance/glance-registry.conf [database] #... connection = mysql+pymysql://glance:123qwe,./@node1/glance [keystone_authtoken] #... www_authenticate_uri = http://node1:5000 auth_url = http://node1:5000 memcached_servers = node1:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = glance password = 123qwe,./ [paste_deploy] #... flavor = keystone su -s /bin/sh -c "glance-manage db_sync" glance systemctl enable openstack-glance-api.service openstack-glance-registry.service systemctl start openstack-glance-api.service openstack-glance-registry.service

验证：在控制节点上

. admin-openrc wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img openstack image create "cirros" \ --file cirros-0.4.0-x86_64-disk.img \ --disk-format qcow2 --container-format bare \ --public openstack image list

安装nova 在控制节点上

mysql -u root -p MariaDB [(none)]> CREATE DATABASE nova_api; MariaDB [(none)]> CREATE DATABASE nova; MariaDB [(none)]> CREATE DATABASE nova_cell0; MariaDB [(none)]> CREATE DATABASE placement; MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' \ IDENTIFIED BY '123qwe,./'; . admin-openrc openstack user create --domain default --password-prompt nova openstack service create --name nova --description "OpenStack Compute" compute openstack endpoint create --region RegionOne compute public http://node1:8774/v2.1 openstack endpoint create --region RegionOne compute internal http://node1:8774/v2.1 openstack endpoint create --region RegionOne compute admin http://node1:8774/v2.1 openstack user create --domain default --password-prompt placement openstack role add --project service --user placement admin openstack service create --name placement --description "Placement API" placement openstack endpoint create --region RegionOne placement public http://node1:8778 openstack endpoint create --region RegionOne placement internal http://node1:8778 openstack endpoint create --region RegionOne placement admin http://node1:8778 yum install openstack-nova-api openstack-nova-conductor \ openstack-nova-console openstack-nova-novncproxy \ openstack-nova-scheduler openstack-nova-placement-api vim /etc/nova/nova.conf [DEFAULT] #... enabled_apis = osapi_compute,metadata transport_url = rabbit://openstack:123qwe,./@node1 my_ip = 192.168.8.128 use_neutron = true firewall_driver = nova.virt.firewall.NoopFirewallDriver [api_database] #... connection = mysql+pymysql://nova:123qwe,./@node1/nova_api [database] #... connection = mysql+pymysql://nova:123qwe,./@node1/nova [placement_database] #... connection = mysql+pymysql://placement:123qwe,./@node1/placement [api] #... auth_strategy = keystone [keystone_authtoken] #... auth_url = http://controller:5000/v3 memcached_servers = node1:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = nova password = 123qwe,./ [vnc] enabled = true #... server_listen = $my_ip server_proxyclient_address = $my_ip [glance] #... api_servers = http://node1:9292 [oslo_concurrency] #... lock_path = /var/lib/nova/tmp [placement] #... region_name = RegionOne project_domain_name = Default project_name = service auth_type = password user_domain_name = Default auth_url = http://node1:5000/v3 username = placement password = 123qwe,./ vim /etc/httpd/conf.d/00-nova-placement-api.conf <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> systemctl restart httpd su -s /bin/sh -c "nova-manage api_db sync" nova su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova su -s /bin/sh -c "nova-manage db sync" nova su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova systemctl enable openstack-nova-api.service \ openstack-nova-consoleauth openstack-nova-scheduler.service \ openstack-nova-conductor.service openstack-nova-novncproxy.service systemctl start openstack-nova-api.service \ openstack-nova-consoleauth openstack-nova-scheduler.service \ openstack-nova-conductor.service openstack-nova-novncproxy.service

在计算节点上

yum install openstack-nova-compute vim /etc/nova/nova.conf [DEFAULT] #... enabled_apis = osapi_compute,metadata transport_url = rabbit://openstack:123qwe,./@node1 my_ip = 192.168.8.129 use_neutron = true firewall_driver = nova.virt.firewall.NoopFirewallDriver [api] #... auth_strategy = keystone [keystone_authtoken] #... auth_url = http://node1:5000/v3 memcached_servers = node1:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = nova password = 123qwe,./ [vnc] #... enabled = true server_listen = 0.0.0.0 server_proxyclient_address = $my_ip novncproxy_base_url = http://node1:6080/vnc_auto.html [glance] #... api_servers = http://node1:9292 [oslo_concurrency] #... lock_path = /var/lib/nova/tmp [placement] #... region_name = RegionOne project_domain_name = Default project_name = service auth_type = password user_domain_name = Default auth_url = http://node1:5000/v3 username = placement password = 123qwe,./ [libvirt] # ... virt_type = qemu egrep -c '(vmx|svm)' /proc/cpuinfo #查看是否支持虚拟化硬件加速 systemctl enable libvirtd.service openstack-nova-compute.service systemctl start libvirtd.service openstack-nova-compute.service

在控制节点上

. admin-openrc openstack compute service list --service nova-compute su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova #发现计算节点 vim /etc/nova/nova.conf [scheduler] discover_hosts_in_cells_interval = 300

验证：在控制节点上

. admin-openrc openstack compute service list openstack catalog list openstack image list nova-status upgrade check

安装neutron 在控制节点上

mysql -uroot -p MariaDB [(none)] CREATE DATABASE neutron; MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ IDENTIFIED BY '123qwe,./'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY '123qwe,./'; . admin-openrc openstack user create --domain default --password-prompt neutron openstack role add --project service --user neutron admin openstack service create --name neutron --description "OpenStack Networking" network openstack endpoint create --region RegionOne network public http://node1:9696 openstack endpoint create --region RegionOne network internal http://node1:9696 openstack endpoint create --region RegionOne network admin http://node1:9696 yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables vim /etc/neutron/neutron.conf [database] #... connection = mysql+pymysql://neutron:123qwe,./@node1/neutron [DEFAULT] #... core_plugin = ml2 service_plugins = router allow_overlapping_ips = true transport_url = rabbit://openstack:123qwe,./@node1 auth_strategy = keystone notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true [keystone_authtoken] #... www_authenticate_uri = http://node1:5000 auth_url = http://node1:5000 memcached_servers = node1:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123qwe,./ [nova] #... auth_url = http://node1:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = 123qwe,./ [oslo_concurrency] #... lock_path = /var/lib/neutron/tmp vim /etc/neutron/plugins/ml2/ml2_conf.ini [ml2] #... type_drivers = flat,vlan,vxlan tenant_network_types = vxlan mechanism_drivers = linuxbridge,l2population extension_drivers = port_security [ml2_type_flat] #... flat_networks = provider [ml2_type_vxlan] #... vni_ranges = 1:1000 [securitygroup] #... enable_ipset = true vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini [linux_bridge] physical_interface_mappings = provider:ens33 [vxlan] enable_vxlan = true local_ip = 192.168.77.132 l2_population = true [securitygroup] #... enable_security_group = true firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver vim /etc/neutron/l3_agent.ini [DEFAULT] #... interface_driver = linuxbridge vim /etc/neutron/dhcp_agent.ini [DEFAULT] #... interface_driver = linuxbridge dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = true vim /etc/neutron/metadata_agent.ini [DEFAULT] #... nova_metadata_host = node1 metadata_proxy_shared_secret = 123qwe,./ vim /etc/nova/nova.conf [neutron] #... url = http://node1:9696 auth_url = http://node2:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = 123qwe,./ service_metadata_proxy = true metadata_proxy_shared_secret = 123qwe,./ ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron systemctl restart openstack-nova-api.service systemctl enable neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service systemctl start neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service systemctl enable neutron-l3-agent.service systemctl start neutron-l3-agent.service

在计算节点上

yum install openstack-neutron-linuxbridge ebtables ipset vim /etc/neutron/neutron.conf [DEFAULT] #... transport_url = rabbit://openstack:123qwe,./@node1 auth_strategy = keystone [keystone_authtoken] #... www_authenticate_uri = http://node1:5000 auth_url = http://node1:5000 memcached_servers = node1:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123qwe,./ [oslo_concurrency] #... lock_path = /var/lib/neutron/tmp vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini [linux_bridge] physical_interface_mappings = provider:ens33 [vxlan] enable_vxlan = true local_ip = 192.168.77.133 l2_population = true [securitygroup] #... enable_security_group = true firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver vim /etc/nova/nova.conf [neutron] #... url = http://node1:9696 auth_url = http://node1:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = 123qwe,./ systemctl restart openstack-nova-compute.service systemctl enable neutron-linuxbridge-agent.service systemctl start neutron-linuxbridge-agent.service

在控制节点上

. admin-openrc openstack extension list --network openstack network agent list

安装horizon 在控制节点上

yum install openstack-dashboard vim /etc/openstack-dashboard/local_settings OPENSTACK_HOST = "node1" ALLOWED_HOSTS = ['one.example.com', 'two.example.com','*'] SESSION_ENGINE = 'django.contrib.sessions.backends.cache' CACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': 'node1:11211', } } OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_API_VERSIONS = { "identity": 3, "image": 2, "volume": 2, } OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user" OPENSTACK_NEUTRON_NETWORK = { ... 'enable_router': False, 'enable_quotas': False, 'enable_distributed_router': False, 'enable_ha_router': False, 'enable_lb': False, 'enable_firewall': False, 'enable_vpn': False, 'enable_fip_topology_check': False, } TIME_ZONE = "Asia/Shanghai" vim /etc/httpd/conf.d/openstack-dashboard.conf WSGIApplicationGroup %{GLOBAL} systemctl restart httpd.service memcached.service

验证： http://node1/dashboard

Processed: 0.011, SQL: 9