Руководство по установке и запуску OpenStack в ALT Linux p8

Материал из ALT Linux Wiki
Stub.png
Данная страница находится в разработке.
Эта страница ещё не закончена. Информация, представленная здесь, может оказаться неполной или неверной.


Инструкция по мотивам установки на Redhat: https://docs.openstack.org/newton/install-guide-rdo/

Инструкция в разработке.

Минимальные требования к оборудованию

  • Процессорных ядер - одно;
  • Оперативная память от 4Gb;
  • Диск 20 Гб.
* На машине с 2Gb RAM - сталкивался с нехваткой памяти и падением процессов. 

Пример установки с сетевым модулем (neutron) на управляющем узле (controller)

Сетевые интерфейсы:


  • ens19 - интерфейс управляющей сети openstack (10.0.0.0/24)
  • ens20 - "provider interface" параметры в этом руководстве используется диапазон 203.0.113.101-203.0.113.250, в сети 203.0.113.0/24, шлюз 203.0.113.1

Установка управляющего узла

Добавляем на узле в /etc/hosts (не удаляйте хост 127.0.0.1)

# Управляющий узел
10.0.0.11 controller
# Вычислительный узел
10.0.0.31 compute1

Подготовка к установке

# apt-get update -y
# apt-get dist-upgrade  -y
  1. Удаление firewalld

apt-get remove firewalld

Установка ПО

# apt-get install python-module-pymysql openstack-nova chrony python-module-memcached python3-module-memcached python-module-pymemcache python3-module-pymemcache mariadb-server python-module-MySQLdb python-module-openstackclient openstack-glance python-module-glance python-module-glance_store python-module-glanceclient  python-module-glanceclient python-module-glance_store  python-module-glance openstack-glance  openstack-nova-api openstack-nova-cells openstack-nova-cert openstack-nova-conductor openstack-nova-console  openstack-nova-scheduler rabbitmq-server  openstack-keystone apache2-mod_wsgi  memcached  openstack-neutron openstack-neutron-ml2   openstack-neutron-linuxbridge openstack-neutron-l3-agent openstack-neutron-dhcp-agent openstack-neutron-server openstack-neutron-metadata-agent openstack-dashboard spice-html5 openstack-nova-spicehtml5proxy mongo-server-mongod mongo-tools python-module-pymongo

Настройка времени

в /etc/chrony.conf добавляем

allow 10.0.0.0/24

Если имеется настроенный свой NTP, заменяем "pool.ntp.org" на свой.

pool pool.ntp.org iburst
# systemctl enable chronyd.service
 Synchronizing state of chronyd.service with SysV service script with /lib/systemd/systemd-sysv-install.
 Executing: /lib/systemd/systemd-sysv-install enable chronyd
# systemctl start chronyd.service


Настройка sql сервера

Комментируем строку "skip-networking" в /etc/my.cnf.d/server.cnf
# cat > /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 10.0.0.11
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
# systemctl enable mariadb
# systemctl start mariadb

задаем пароль администратора sql сервера root и удаляем тестовые таблички

  • пароль по умолчанию пустой "" (после ввода нового пароля, на все вопросы отвечать утвердительно)
# mysql_secure_installation

Настройка сервера сообщений rabbitmq

# systemctl enable rabbitmq.service
# systemctl start rabbitmq

Добавляем пользователя:

# rabbitmqctl add_user openstack RABBIT_PASS
# rabbitmqctl set_permissions openstack ".*" ".*" ".*"

Настройка memcached

в файле /etc/sysconfig/memcached заменяем строчку LISTEN="127.0.0.1" на

LISTEN="10.0.0.11"


# systemctl enable memcached
# systemctl start memcached

Настройка Keystone

Создаём базу данных и пользователя с паролем.

# mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';

Сохраняем оригинальный конфигурационный файл.

# mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf.orig


# cat >  /etc/keystone/keystone.conf 
[DEFAULT]
admin_token = ADMIN_TOKEN
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
[ssl]
[token]
provider = fernet
[tokenless_auth]
[trust]


Заполняем базу данных keystone

# su -s /bin/sh -c "keystone-manage db_sync" keystone
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

Настраиваем apache2 для keystone

у нас apache2 собран без mod_version, поэтому убираем в файле /etc/httpd2/conf/sites-available/openstack-keystone.conf всё строчки c IfVersion (

<IfVersion >= 2.4>
</IfVersion>

добавляем в активную конфигурацию keystone

# a2ensite openstack-keystone

Добавляем servername в конфигурацию.

echo ServerName controller >/etc/httpd2/conf/sites-enabled/servername.conf 
systemctl enable httpd2.service
systemctl start httpd2.service


Создание доменов, пользователей и ролей

Для дальнейших работ рекомендуется создать пользователя.

# adduser admin
# su - admin
cat >auth
export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

Создаём пользователя demo

# su - admin
. auth

openstack service create --name keystone --description "OpenStack Identity" identity

Пароль для пользователя admin - ADMIN_PASS


openstack endpoint create --region RegionOne identity public http://controller:5000/v3
openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
openstack domain create --description "Default Domain" default
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default  --password ADMIN_PASS admin
openstack role create admin
openstack role add --project admin --user admin admin
openstack project create --domain default --description "Service Project" service
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password demo demo
openstack role create user
openstack role add --project demo --user demo user

Проверка настроек узла управления

# su - admin
$ . auth
unset OS_AUTH_URL OS_PASSWORD

пароль "ADMIN_PASS"

openstack --os-auth-url http://controller:35357/v3 \
 --os-project-domain-name Default --os-user-domain-name Default \
 --os-project-name admin --os-username admin token issue

должно вывести что-то вроде:

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-05-16T15:08:43.854293Z                                                                                                                                                             
|
| id         | gAAAAABZGwfr4_2NvksY-XnVTayUxh0zZEi4vp7Ff4JmdPqbQQy-W3NG2rs6EzImkevuVbvx4RkCtIWwhaxpbsEUoIFhfwaBwRpqE3fmx7d6OruRucHvFEjmtCKpBPHe9htK0s9hm40n7WmaADaYgi9LgnMto6YRNEBG5mzBJhX0b4NoHgeRA0 |
| project_id | d22531fa71e849078c44bb1f00117d87                                                                                                                                                        
|
| user_id    | 7be0608abb9641c5bd8d9f7a3bf519cb                                                                                                                                                        
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

проверка пользователя demo:

openstack --os-auth-url http://controller:5000/v3 \
 --os-project-domain-name Default --os-user-domain-name Default \
 --os-project-name demo --os-username demo token issue
+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   
|
+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-05-16T15:10:40.979623Z                                                                                                                                                             
|
| id         | gAAAAABZGwhhpQ5BvHvPmM9w6zuXstXZ6JMJDwkbV0zXUBsKLJuJ69CJKux0VoHzxaCKkEuaiOMtIWn2G0u__54HCMQQTvj7f8ddLezXgnlek9KLOPk9FEuoORIg9cahtgqttHgKyLuMKysHzuy331wxrcY-TtsOWWn_yhBJt7NWHtaTN7GEqNg |
| project_id | 19493a015aaf4e5f9983b58b460b3794                                                                                                                                                        
|
| user_id    | 9173af4437f34acd86f5a3d4516c53b6                                                                                                                                                        
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Настройка окружения

su - admin
rm auth
cat > admin-openrc  <<EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
cat > demo-openrc  <<EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF

Проверка окружения

su - admin
. admin-openrc
openstack token issue

Должно выдать что-то вроде такого:

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-05-16T15:48:13.101936Z                                                                                                                                                             
|
| id         | gAAAAABZGxEtWlJ0eEGve9Y1VvIRk-wQtZN128A92YPFb5iuTJuo2O7G6Gd9IYdnyPZP6xAXDmT2VzIVbuhvOKQi9bItygi2fWRTw7byAZZdKIvR3mAHpsZyLPpS61hM2ydQLsf6g57xhMKy5y1Fw4Z3uXPabK27dZi1aTslIQZB4RA4Q9WZYWM |
| project_id | d22531fa71e849078c44bb1f00117d87                                                                                                                                                        
|
| user_id    | 7be0608abb9641c5bd8d9f7a3bf519cb                                                                                                                                                        
|
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Настройка сервиса glance

 mysql -u root -p
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'GLANCE_DBPASS';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'GLANCE_DBPASS';

su - admin
. admin-openrc

Задаем пароль сервису glance

openstack user create --domain default --password GLANCE_PASS glance
openstack role add --project service --user glance admin
openstack service create --name glance --description "OpenStack Image" image
openstack endpoint create --region RegionOne image public http://controller:9292
openstack endpoint create --region RegionOne image internal http://controller:9292
openstack endpoint create --region RegionOne image admin http://controller:9292

настраиваем конфиг:

cd /etc/glance/
mv glance-api.conf glance-api.conf_orig
cat >glance-api.conf
[DEFAULT]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
[image_format]
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = GLANCE_PASS
[matchmaker_redis]
[oslo_concurrency]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_policy]
[paste_deploy]
flavor = keystone
[profiler]
[store_type_location_strategy]
[task]
[taskflow_executor]



mv /etc/glance/glance-registry.conf /etc/glance/glance-registry.conf.orig
cat > /etc/glance/glance-registry.conf
[DEFAULT]
[database]
connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance
[glance_store]
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = GLANCE_PASS
[matchmaker_redis]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_policy]
[paste_deploy]
flavor = keystone
[profiler]


Проверка

su - admin
. admin-openrc
wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img \  --disk-format qcow2 --container-format bare --public

Загружаем образ в glance.

openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public 

Проверяем успешность загрузки

$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| f1008c6a-f86a-4c48-8332-2573321e4be1 | cirros | active |
+--------------------------------------+--------+--------+

Установка вычислительного узла

Начальная подготовка управляющего узла

Создание БД.

mysql -u root -p
CREATE DATABASE nova_api;
CREATE DATABASE nova;
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%'   IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'NOVA_DBPASS';


Создаём пользователя nova и указываем пароль, который потом будет использоваться при настройке.

openstack user create --domain default --password NOVA_PASS nova

создаём роль

openstack role add --project service --user nova admin

Создаём сервис nova

openstack service create --name nova  --description "OpenStack Compute" compute

создаём API endpoint

openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1/%\(tenant_id\)s
openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1/%\(tenant_id\)s
openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1/%\(tenant_id\)s

Настройка nova

cd /etc/nova/
mv nova.conf nova.conf.orig
cat >nova.conf
[DEFAULT]
log_dir = /var/log/nova
state_path = /var/lib/nova
connection_type = libvirt
compute_driver = libvirt.LibvirtDriver
image_service = nova.image.glance.GlanceImageService
volume_api_class = nova.volume.cinder.API
auth_strategy = keystone
network_api_class = nova.network.neutronv2.api.API
service_neutron_metadata_proxy = True
security_group_api = neutron
injected_network_template = /usr/share/nova/interfaces.template
web=/usr/share/spice-html5
enabled_apis = osapi_compute,metadata
rpc_backend = rabbit
auth_strategy = keystone
my_ip = 10.0.0.11
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
[api_database]
connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova_api
[barbican]
[cache]
[cells]
[cinder]
[conductor]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova
[ephemeral_storage_encryption]
[glance]
api_servers = http://controller:9292
[guestfs]
[hyperv]
[image_file_url]
[ironic]
[keymgr]
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = NOVA_PASS
[libvirt]
[matchmaker_redis]
[metrics]
[neutron]
admin_username = neutron
admin_password = %SERVICE_PASSWORD%
admin_tenant_name = %SERVICE_TENANT_NAME%
url = http://localhost:9696
auth_strategy = keystone
admin_auth_url = http://localhost:35357/v2.0
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
service_metadata_proxy = True
metadata_proxy_shared_secret = METADATA_SECRET
[osapi_v21]
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
[oslo_middleware]
[oslo_policy]
[rdp]
[serial_console]
[spice]
spicehtml5proxy_host = ::
html5proxy_base_url = https://10.10.3.169:6082/spice_auto.html
enabled = True
keymap = en-us
[ssl]
[trusted_computing]
[upgrade_levels]
[vmware]
[vnc]
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip
[workarounds]
[xenserver]


заполнение БД nova

 su -s /bin/sh -c "nova-manage api_db sync" nova
 su -s /bin/sh -c "nova-manage db sync" nova

Запуск nova сервиса

# systemctl enable openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service
# systemctl start openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service

Установка вычислительной ноды

Ставим пакеты

apt-get update
apt-get install openstack-nova-compute openstack-neutron-linuxbridge ebtables ipset kernel-modules-ipset-std-def
apt-get dist-upgrade 

Поменяйте ip 10.0.0.xxx на ip своей вычислительной ноды

cd /etc/nova
mv nova.conf nova.conf.orig
cat >nova.conf
[DEFAULT]
log_dir = /var/log/nova
state_path = /var/lib/nova
connection_type = libvirt
compute_driver = libvirt.LibvirtDriver
image_service = nova.image.glance.GlanceImageService
volume_api_class = nova.volume.cinder.API
auth_strategy = keystone
network_api_class = nova.network.neutronv2.api.API
service_neutron_metadata_proxy = True
security_group_api = neutron
injected_network_template = /usr/share/nova/interfaces.template
enabled_apis = osapi_compute,metadata
compute_driver = libvirt.LibvirtDriver
transport_url = rabbit://openstack:RABBIT_PASS@controller
auth_strategy = keystone
my_ip = 10.0.0.39
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
[api_database]
[barbican]
[cache]
[cells]
[cinder]
[conductor]
[cors]
[cors.subdomain]
[database]
connection = mysql://nova:nova@localhost/nova
[ephemeral_storage_encryption]
[glance]
api_servers = http://controller:9292
[guestfs]
[hyperv]
[image_file_url]
[ironic]
[keymgr]
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = NOVA_PASS
[libvirt]
virt_type = qemu
[matchmaker_redis]
[metrics]
[neutron]
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
[osapi_v21]
[oslo_concurrency]
lock_path = /var/run/nova
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[rdp]
[serial_console]
[spice]
spicehtml5proxy_host = ::
html5proxy_base_url = http://controller:6082/spice_auto.html
enabled = True
agent_enabled = True
server_listen = ::
server_proxyclient_address = 10.0.0.39
keymap = en-us
[ssl]
[trusted_computing]
[upgrade_levels]
[vmware]
[vnc]
enabled = false
[workarounds]
[xenserver]

Завершение установки

Проверка на аппаратное ускорение.

egrep -c '(vmx|svm)' /proc/cpuinfo

Если вывод не 0 меняем в файле /etc/nova/nova.conf строчку

virt_type = qemu

на

virt_type = kvm

Проверка установки nova

su - admin
. admin-openrc
openstack compute service list
+----+------------------+-----------+----------+---------+-------+----------------------------+
| Id | Binary           | Host      | Zone     | Status  | State | Updated At                 |
+----+------------------+-----------+----------+---------+-------+----------------------------+
|  1 | nova-consoleauth | conroller | internal | enabled | up    | 2017-05-18T09:09:12.000000 |
|  2 | nova-conductor   | conroller | internal | enabled | up    | 2017-05-18T09:09:14.000000 |
|  3 | nova-scheduler   | conroller | internal | enabled | up    | 2017-05-18T09:09:19.000000 |
|  6 | nova-compute     | compute3  | nova     | enabled | up    | 2017-05-18T09:09:16.000000 |
+----+------------------+-----------+----------+---------+-------+----------------------------+

Настройка сетевого сервиса neutron

Настраиваем управляющий узел

mysql -u root -p
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';

su - admin
. admin-openrc
openstack user create --domain default --password-prompt neutron
openstack role add --project service --user neutron admin
openstack service create --name neutron --description "OpenStack Networking" network
openstack endpoint create --region RegionOne network public http://controller:9696
openstack endpoint create --region RegionOne network internal http://controller:9696
openstack endpoint create --region RegionOne network admin http://controller:9696
cd /etc/neutron
mv neutron.conf neutron.conf.dist
cat  >neutron.conf
[DEFAULT]
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
service_plugins = neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
state_path = /var/lib/neutron
log_dir = /var/log/neutron
core_plugin = ml2
service_plugins =
rpc_backend = rabbit
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
[keystone_authtoken]
signing_dir = /var/cache/neutron/keystone-signing
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
[matchmaker_redis]
[nova]
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
[oslo_policy]
[qos]
[quotas]
[ssl]

Настройка Modular Layer 2 (ML2)

cd /etc/neutron/plugins/ml2/
mv ml2_conf.ini  ml2_conf.ini.ORIG
cat > ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
[securitygroup]
enable_ipset = True


cd /etc/neutron/plugins/ml2/
mv linuxbridge_agent.ini linuxbridge_agent.ini.ORIG
cat >linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:ens20
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = False

Настройка DHCP агента

cd /etc/neutron
mv dhcp_agent.ini dhcp_agent.ini_ORIG
cat >dhcp_agent.ini
[DEFAULT]
dhcp_delete_namespaces = True
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
[AGENT]

Наполнение базы neutron

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" 
systemctl restart openstack-nova-api.service
systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service
systemctl start  neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service

Настройка neutron на вычислительном узле

cd /etc/neutron
mv neutron.conf neutron.conf_ORIG
cat >neutron.conf 
[DEFAULT]
rpc_backend = rabbit
auth_strategy = keystone
[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
[cors]
[cors.subdomain]
[database]
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
[matchmaker_redis]
[nova]
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
rabbit_host = controller
rabbit_userid = openstack
[oslo_policy]
[qos]
[quotas]
[ssl]


cd /etc/neutron/plugins/ml2
mv linuxbridge_agent.ini linuxbridge_agent.ini_ORIG
cat >linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge] 
physical_interface_mappings = provider:ens20
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = False


systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service


Проверка neutron

На управляющем узле запускаем

su - admin
. admin-openrc
 neutron ext-list
+---------------------------+-----------------------------------------------+
| alias                     | name                                          |
+---------------------------+-----------------------------------------------+
| default-subnetpools       | Default Subnetpools                           |
| network-ip-availability   | Network IP Availability                       |
| network_availability_zone | Network Availability Zone                     |
| auto-allocated-topology   | Auto Allocated Topology Services              |
| ext-gw-mode               | Neutron L3 Configurable external gateway mode |
| binding                   | Port Binding                                  |
| agent                     | agent                                         |
| subnet_allocation         | Subnet Allocation                             |
| l3_agent_scheduler        | L3 Agent Scheduler                            |
| tag                       | Tag support                                   |
| external-net              | Neutron external network                      |
| net-mtu                   | Network MTU                                   |
| availability_zone         | Availability Zone                             |
| quotas                    | Quota management support                      |
| l3-ha                     | HA Router extension                           |
| flavors                   | Neutron Service Flavors                       |
| provider                  | Provider Network                              |
| multi-provider            | Multi Provider Network                        |
| address-scope             | Address scope                                 |
| extraroute                | Neutron Extra Route                           |
| timestamp_core            | Time Stamp Fields addition for core resources |
| router                    | Neutron L3 Router                             |
| extra_dhcp_opt            | Neutron Extra DHCP opts                       |
| dns-integration           | DNS Integration                               |
| security-group            | security-group                                |
| dhcp_agent_scheduler      | DHCP Agent Scheduler                          |
| router_availability_zone  | Router Availability Zone                      |
| rbac-policies             | RBAC Policies                                 |
| standard-attr-description | standard-attr-description                     |
| port-security             | Port Security                                 |
| allowed-address-pairs     | Allowed Address Pairs                         |
| dvr                       | Distributed Virtual Router                    |
+---------------------------+-----------------------------------------------+
 neutron agent-list
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host       | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| 08905043-5010-4b87-bba5-aedb1956e27a | Linux bridge agent | compute1   | :-)   | True           | neutron-linuxbridge-agent |
| 27eee952-a748-467b-bf71-941e89846a92 | Linux bridge agent | controller | :-)   | True           | neutron-linuxbridge-agent |
| dd3644c9-1a3a-435a-9282-eb306b4b0391 | DHCP agent         | controller | :-)   | True           | neutron-dhcp-agent        |
| f49a4b81-afd6-4b3d-b923-66c8f0517099 | Metadata agent     | controller | :-)   | True           | neutron-metadata-agent    |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+

Настройка web интерфейса

Включаем spice консоль (необходимые настройки уже имеются в конфигах)

systemctl enable openstack-nova-spicehtml5proxy.service
systemctl start openstack-nova-spicehtml5proxy.service


cd /etc/openstack-dashboard
mv local_settings local_settings_ORIG
cat >local_settings
# -*- coding: utf-8 -*-
import os
from django.utils.translation import ugettext_lazy as _
from openstack_dashboard import exceptions
from openstack_dashboard.settings import HORIZON_CONFIG
DEBUG = False
TEMPLATE_DEBUG = DEBUG
OPENSTACK_HOST = "controller"
ALLOWED_HOSTS = ['*', ]
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
   'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': 'controller:11211',
   }
}
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_API_VERSIONS = {
   "identity": 3,
   "image": 2,
   "volume": 2,
}
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "default"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_NEUTRON_NETWORK = {
   'enable_router': False,
   'enable_quotas': False,
   'enable_distributed_router': False,
   'enable_ha_router': False,
   'enable_lb': False,
   'enable_firewall': False,
   'enable_vpn': False,
   'enable_fip_topology_check': False,
}
TIME_ZONE = "Europe/Moscow"
WEBROOT = '/dashboard/'
LOCAL_PATH = '/tmp'
SECRET_KEY='da8b52fb799a5319e747'
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
OPENSTACK_KEYSTONE_BACKEND = {
   'name': 'native',
   'can_edit_user': True,
   'can_edit_group': True,
   'can_edit_project': True,
   'can_edit_domain': True,
   'can_edit_role': True,
}
OPENSTACK_HYPERVISOR_FEATURES = {
   'can_set_mount_point': False,
   'can_set_password': False,
   'requires_keypair': False,
}
OPENSTACK_CINDER_FEATURES = {
   'enable_backup': False,
}
OPENSTACK_HEAT_STACK = {
   'enable_user_pass': True,
}
IMAGE_CUSTOM_PROPERTY_TITLES = {
   "architecture": _("Architecture"),
   "image_state": _("Euca2ools state"),
   "project_id": _("Project ID"),
   "image_type": _("Image Type"),
}
IMAGE_RESERVED_CUSTOM_PROPERTIES = []
API_RESULT_LIMIT = 1000
API_RESULT_PAGE_SIZE = 20
SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
DROPDOWN_MAX_ITEMS = 30
TIME_ZONE = "UTC"
POLICY_FILES_PATH = '/etc/openstack-dashboard'
LOGGING = {
   'version': 1,
   # When set to True this will disable all logging except
   # for loggers specified in this configuration dictionary. Note that
   # if nothing is specified here and disable_existing_loggers is True,
   # django.db.backends will still log unless it is disabled explicitly.
   'disable_existing_loggers': False,
   'handlers': {
       'null': {
           'level': 'DEBUG',
           'class': 'logging.NullHandler',
       },
       'console': {
           # Set the level to "DEBUG" for verbose output logging.
           'level': 'INFO',
           'class': 'logging.StreamHandler',
       },
   },
   'loggers': {
       # Logging from django.db.backends is VERY verbose, send to null
       # by default.
       'django.db.backends': {
           'handlers': ['null'],
           'propagate': False,
       },
       'requests': {
           'handlers': ['null'],
           'propagate': False,
       },
       'horizon': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'openstack_dashboard': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'novaclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'cinderclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'keystoneclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'glanceclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'neutronclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'heatclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'ceilometerclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'swiftclient': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'openstack_auth': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'nose.plugins.manager': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'django': {
           'handlers': ['console'],
           'level': 'DEBUG',
           'propagate': False,
       },
       'iso8601': {
           'handlers': ['null'],
           'propagate': False,
       },
       'scss': {
           'handlers': ['null'],
           'propagate': False,
       },
   },
}
SECURITY_GROUP_RULES = {
   'all_tcp': {
       'name': _('All TCP'),
       'ip_protocol': 'tcp',
       'from_port': '1',
       'to_port': '65535',
   },
   'all_udp': {
       'name': _('All UDP'),
       'ip_protocol': 'udp',
       'from_port': '1',
       'to_port': '65535',
   },
   'all_icmp': {
       'name': _('All ICMP'),
       'ip_protocol': 'icmp',
       'from_port': '-1',
       'to_port': '-1',
   },
   'ssh': {
       'name': 'SSH',
       'ip_protocol': 'tcp',
       'from_port': '22',
       'to_port': '22',
   },
   'smtp': {
       'name': 'SMTP',
       'ip_protocol': 'tcp',
       'from_port': '25',
       'to_port': '25',
   },
   'dns': {
       'name': 'DNS',
       'ip_protocol': 'tcp',
       'from_port': '53',
       'to_port': '53',
   },
   'http': {
       'name': 'HTTP',
       'ip_protocol': 'tcp',
       'from_port': '80',
       'to_port': '80',
   },
   'pop3': {
       'name': 'POP3',
       'ip_protocol': 'tcp',
       'from_port': '110',
       'to_port': '110',
   },
   'imap': {
       'name': 'IMAP',
       'ip_protocol': 'tcp',
       'from_port': '143',
       'to_port': '143',
   },
   'ldap': {
       'name': 'LDAP',
       'ip_protocol': 'tcp',
       'from_port': '389',
       'to_port': '389',
   },
   'https': {
       'name': 'HTTPS',
       'ip_protocol': 'tcp',
       'from_port': '443',
       'to_port': '443',
   },
   'smtps': {
       'name': 'SMTPS',
       'ip_protocol': 'tcp',
       'from_port': '465',
       'to_port': '465',
   },
   'imaps': {
       'name': 'IMAPS',
       'ip_protocol': 'tcp',
       'from_port': '993',
       'to_port': '993',
   },
   'pop3s': {
       'name': 'POP3S',
       'ip_protocol': 'tcp',
       'from_port': '995',
       'to_port': '995',
   },
   'ms_sql': {
       'name': 'MS SQL',
       'ip_protocol': 'tcp',
       'from_port': '1433',
       'to_port': '1433',
   },
   'mysql': {
       'name': 'MYSQL',
       'ip_protocol': 'tcp',
       'from_port': '3306',
       'to_port': '3306',
   },
   'rdp': {
       'name': 'RDP',
       'ip_protocol': 'tcp',
       'from_port': '3389',
       'to_port': '3389',
   },
}
REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
                              'LAUNCH_INSTANCE_DEFAULTS']

Перезапуск приложений

 a2ensite openstack-dashboard
systemctl restart httpd2.service memcached.service

Запуск виртуальной машины

Создание сети

su - admin
. admin-openrc
neutron net-create --shared --provider:physical_network provider --provider:network_type flat provider
Created a new network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | 0e62efcd-8cee-46c7-b163-d8df05c3c5ad |
| mtu                       | 1500                                 |
| name                      | provider                             |
| port_security_enabled     | True                                 |
| provider:network_type     | flat                                 |
| provider:physical_network | provider                             |
| provider:segmentation_id  |                                      |
| router:external           | False                                |
| shared                    | True                                 |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | d84313397390425c8ed50b2f6e18d092     |
+---------------------------+--------------------------------------+

Заменяем данные выделенные жирным на свой пул адресов, шлюз и DNS сервер.

neutron subnet-create --name provider --allocation-pool start=203.0.113.101,end=203.0.113.250 --dns-nameserver 8.8.4.4 --gateway 203.0.113.1  provider 203.0.113.0/24


su - admin
. admin-openrc 

Создаём новый шаблон оборудования для тестового образа.

openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano

Многие образы облачных сервисов поддерживают авторизацию через ключи, поэтому создаём ключи и импортируем их.

. demo-openrc
ssh-keygen -q -N ""
openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey 

Проверяем импорт:

openstack keypair list
+-------+-------------------------------------------------+
| Name  | Fingerprint                                     |
+-------+-------------------------------------------------+
| mykey | be:68:58:f8:0a:6e:1e:c7:36:1c:8c:ff:c9:30:3f:60 |
+-------+-------------------------------------------------+


Создаём групповые политики (group rules)

openstack security group rule create --proto icmp default
openstack security group rule create --proto tcp --dst-port 22 default

Проверяем, что образ машины cirros, шаблон m1.nano и группа безопасности default создана.

openstack flavor list
openstack image list
openstack security group list

Отсюда нужно будет взять ID сети provider

openstack network list
 +--------------------------------------+--------------+--------------------------------------+
| ID                                   | Name         | Subnets                              |
+--------------------------------------+--------------+--------------------------------------+
| 4716ddfe-6e60-40e7-b2a8-42e57bf3c31c | selfservice  | 2112d5eb-f9d6-45fd-906e-7cabd38b7c7c |
| b5b6993c-ddf9-40e7-91d0-86806a42edb8 | provider     | 310911f6-acf0-4a47-824e-3032916582ff |
+--------------------------------------+--------------+--------------------------------------+

Создаём виртуальную машины

openstack server create --flavor m1.tiny --image cirros -nic net-id='''PROVIDER_NET_ID''' --security-group default --key-name mykey provider-instance
+--------------------------------------+-----------------------------------------------+
| Property                             | Value                                         |
+--------------------------------------+-----------------------------------------------+
| OS-DCF:diskConfig                    | MANUAL                                        |
| OS-EXT-AZ:availability_zone          | nova                                          |
| OS-EXT-STS:power_state               | 0                                             |
| OS-EXT-STS:task_state                | scheduling                                    |
| OS-EXT-STS:vm_state                  | building                                      |
| OS-SRV-USG:launched_at               | -                                             |
| OS-SRV-USG:terminated_at             | -                                             |
| accessIPv4                           |                                               |
| accessIPv6                           |                                               |
| adminPass                            | hdF4LMQqC5PB                                  |
| config_drive                         |                                               |
| created                              | 2015-09-17T21:58:18Z                          |
| flavor                               | m1.tiny (1)                                   |
| hostId                               |                                               |
| id                                   | 181c52ba-aebc-4c32-a97d-2e8e82e4eaaf          |
| image                                | cirros (38047887-61a7-41ea-9b49-27987d5e8bb9) |
| key_name                             | mykey                                         |
| metadata                             | {}                                            |
| name                                 | provider-instance                             |
| os-extended-volumes:volumes_attached | []                                            |
| progress                             | 0                                             |
| security_groups                      | default                                       |
| status                               | BUILD                                         |
| tenant_id                            | f5b2ccaa75ac413591f12fcaa096aa5c              |
| updated                              | 2015-09-17T21:58:18Z                          |
| user_id                              | 684286a9079845359882afc3aa5011fb              |
+--------------------------------------+-----------------------------------------------+

Проверяем статус виртуальной машины:

 openstack server list
+--------------------------------------+-------------------+--------+------------------------+------------+
| ID                                   | Name              | Status | Networks               | Image Name |
+--------------------------------------+-------------------+--------+------------------------+------------+
| 181c52ba-aebc-4c32-a97d-2e8e82e4eaaf | provider-instance | ACTIVE | provider=203.0.113.103 | cirros     |
+--------------------------------------+-------------------+--------+------------------------+------------+

Проверка доступности шлюза.

ping -c 4 203.0.113.1

PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data.
64 bytes from 203.0.113.1: icmp_req=1 ttl=64 time=0.357 ms
64 bytes from 203.0.113.1: icmp_req=2 ttl=64 time=0.473 ms
64 bytes from 203.0.113.1: icmp_req=3 ttl=64 time=0.504 ms
64 bytes from 203.0.113.1: icmp_req=4 ttl=64 time=0.470 ms

--- 203.0.113.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms

Проверка доступности виртуальной машины.

ping -c 4 203.0.113.103

PING 203.0.113.103 (203.0.113.103) 56(84) bytes of data.
64 bytes from 203.0.113.103: icmp_req=1 ttl=63 time=3.18 ms
64 bytes from 203.0.113.103: icmp_req=2 ttl=63 time=0.981 ms
64 bytes from 203.0.113.103: icmp_req=3 ttl=63 time=1.06 ms
64 bytes from 203.0.113.103: icmp_req=4 ttl=63 time=0.929 ms

--- 203.0.113.103 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms

Зайдём на виртуальную машину.

ssh cirros@203.0.113.103