上次试了一下新版本OpenStack的Keystone认证服务,但CLI方面keystone已经被遗弃了,直接通过openstackclient来调用,与H版大有不同,今天又重新试了试,结合horizon来探索一番,对于常规基本操作进行一些熟悉,至于正确的RC File写法,可以思考一些方法,而不要去网上盲目得随意搜索
首先是测试环境,由于目前依旧以熟悉新版为主,还是直接虚拟机里搭建单节点devstack
虚拟机:Mac上的VMware Fusion 资源:2 Core,3.9G Memory 网络:Bridge模式
这里内存最好接近4G,所有服务启动后占用的内存资源差不多这么多,网络我这里选择了Bridge,而不是NAT模式
然后虚拟机安装Linux操作系统,我这里还是用的CentOS 7.2,内核版本3.10.0-229.el7.x86_64,在创建安装好CentOS虚拟机之后,未安装OpenStack之前建议开放80端口,因为我这里是在Mac上访问WEB,不要直接iptables命令修改,那样重启服务又去掉了,更不要在OpenStack启动之后再开放,那样重启iptables服务后会将openstack里的一些临时防火墙规则给去掉了,因此一开始永久修改Linux操作系统防火墙规则一劳永逸
CentOS修改防火墙添加一行即可:
[lihui@openstack ~]$ sudo cat /etc/sysconfig/iptables | grep 80 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
然后restart一下服务即可,可在Mac上通过telnet验证一下
[lihui@openstack ~]$ sudo service iptables restart lihui@MacBook ~ telnet 192.168.100.13 80 Trying 192.168.100.13... Connected to 192.168.100.13. Escape character is '^]'. ^] telnet>
这样就OK了,可以看下防火墙规则
[lihui@openstack ~]$ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited
接着就是安装devstack了,这部分没啥好说的,装就是了,中间有问题可自行解决,安装完成后大概有这些信息
This is your host IP address: 192.168.100.13 This is your host IPv6 address: ::1 Horizon is now available at http://192.168.100.13/dashboard Keystone is serving at http://192.168.100.13/identity/ The default users are: admin and demo The password: lihui 2017-04-03 04:53:24.400 | WARNING: 2017-04-03 04:53:24.400 | Using lib/neutron-legacy is deprecated, and it will be removed in the future 2017-04-03 04:53:24.400 | stack.sh completed in 1187 seconds.
可以看到这里输出了一些host信息,由于这里是单节点不是分布式,所有所有IP地址都是一个,假如要调用API,这里的IP就是各个服务的host,两个默认的用户,密码都是lihui,有一个警告,日后neutron CLI会废弃,这个前面已经知道了
再来对比下iptables规则,多了一大波
[lihui@openstack ~]$ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-openvswi-FORWARD -N neutron-openvswi-INPUT -N neutron-openvswi-OUTPUT -N neutron-openvswi-local -N neutron-openvswi-sg-chain -N neutron-openvswi-sg-fallback -N nova-api-FORWARD -N nova-api-INPUT -N nova-api-OUTPUT -N nova-api-local -N nova-filter-top -A INPUT -j neutron-openvswi-INPUT -A INPUT -j nova-api-INPUT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -j nova-filter-top -A FORWARD -j nova-api-FORWARD -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-api-OUTPUT -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-sg-chain -j ACCEPT -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP -A nova-api-INPUT -d 192.168.100.13/32 -p tcp -m tcp --dport 8775 -j ACCEPT -A nova-filter-top -j nova-api-local
搭建好之后,Mac上直接输入192.168.100.13,会自动跳转到dashboard,但是结果却反悔了一个ERROR
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log.
这里就要小思考一下,80端口已开,telnet包已经能进来,说明和防火墙无关,那么只有可能是WEB server的问题了,因为是用apache,看下httpd进程
[lihui@openstack devstack]$ ps aux | grep httpd root 40230 0.0 0.0 109688 996 pts/6 S+ 12:38 0:00 sudo tail -f /var/log/httpd/keystone.log root 40240 0.0 0.0 4352 368 pts/6 S+ 12:38 0:00 tail -f /var/log/httpd/keystone.log root 40461 0.0 0.0 109688 996 pts/7 S+ 12:38 0:00 sudo tail -f /var/log/httpd/keystone_access.log root 40469 0.0 0.0 4352 412 pts/7 S+ 12:38 0:00 tail -f /var/log/httpd/keystone_access.log root 68623 0.0 0.1 255668 5528 ? Ss 12:50 0:00 /usr/sbin/httpd -DFOREGROUND apache 68646 0.0 0.1 260044 6592 ? S 12:50 0:00 /usr/sbin/httpd -DFOREGROUND apache 68647 0.0 0.1 260044 7056 ? S 12:50 0:00 /usr/sbin/httpd -DFOREGROUND apache 68650 0.0 0.1 260044 7128 ? S 12:50 0:00 /usr/sbin/httpd -DFOREGROUND apache 68651 0.0 0.1 260044 7152 ? S 12:50 0:00 /usr/sbin/httpd -DFOREGROUND root 69019 0.0 0.0 109688 1808 pts/24 S+ 12:50 0:00 sudo tail -f /var/log/httpd/horizon_error.log root 69024 0.0 0.0 4352 540 pts/24 S+ 12:50 0:00 tail -f /var/log/httpd/horizon_error.log apache 69310 0.0 0.1 260044 7088 ? S 12:50 0:00 /usr/sbin/httpd -DFOREGROUND apache 71329 0.0 0.1 260044 7076 ? S 12:51 0:00 /usr/sbin/httpd -DFOREGROUND apache 76979 0.0 0.1 260060 7040 ? S 12:53 0:00 /usr/sbin/httpd -DFOREGROUND apache 76982 0.0 0.1 260028 6596 ? S 12:53 0:00 /usr/sbin/httpd -DFOREGROUND apache 76983 0.0 0.1 260060 6608 ? S 12:53 0:00 /usr/sbin/httpd -DFOREGROUND apache 76987 0.0 0.1 260044 6428 ? S 12:53 0:00 /usr/sbin/httpd -DFOREGROUND lihui 80618 0.0 0.0 112660 972 pts/3 R+ 13:13 0:00 grep --color=auto httpd
进程的确都起来了,但是horizon_error.log一直tailf引起了我的注意,看下详情
[lihui@openstack devstack]$ sudo tail -f /var/log/httpd/horizon_error.log 2017-04-03 05:11:49.412629 obj = self.var.resolve(context) 2017-04-03 05:11:49.412633 File "/usr/lib/python2.7/site-packages/django/template/base.py", line 789, in resolve 2017-04-03 05:11:49.412640 value = self._resolve_lookup(context) 2017-04-03 05:11:49.412645 File "/usr/lib/python2.7/site-packages/django/template/base.py", line 849, in _resolve_lookup 2017-04-03 05:11:49.412652 current = current() 2017-04-03 05:11:49.412657 File "/usr/lib/python2.7/site-packages/django/http/request.py", line 152, in build_absolute_uri 2017-04-03 05:11:49.412666 host=self.get_host(), 2017-04-03 05:11:49.412671 File "/usr/lib/python2.7/site-packages/django/http/request.py", line 102, in get_host 2017-04-03 05:11:49.412707 raise DisallowedHost(msg) 2017-04-03 05:11:49.412732 DisallowedHost: Invalid HTTP_HOST header: '192.168.100.13'. You may need to add u'192.168.100.13' to ALLOWED_HOSTS.
看到这里大概心中有数了,看来是django里类似白名单限制了
我这里就直接修改系统配置
[lihui@openstack ~]$ cat /usr/lib/python2.7/site-packages/django/conf/global_settings.py | grep ALLOWED_HOSTS ALLOWED_HOSTS = ['192.168.100.13']
重启一下WEB服务让它生效
[lihui@openstack ~]$ sudo service httpd restart Redirecting to /bin/systemctl restart httpd.service
做了这一堆实际上为了先打开horizon,看看有哪些未知的东东,经过上面操作前端OK了
根据安装最后提供的user信息,直接admin登陆一下
其它的没啥关心的,直接看API Access
这时候可以看到所有服务,除此之外最上方还有RC File的下载,毫不犹豫download
这个才是我想要的,对比下差异,其它没用的信息不用看了,直接看环境变量
V2的:
[lihui@openstack ~]$ cat v2.openrc | grep export export OS_AUTH_URL=http://192.168.100.13/identity export OS_TENANT_ID=351726551dae40b1a6d7f4fd6cba168a export OS_TENANT_NAME="admin" export OS_USERNAME="admin" export OS_PASSWORD=$OS_PASSWORD_INPUT export OS_REGION_NAME="RegionOne" export OS_ENDPOINT_TYPE=publicURL export OS_IDENTITY_API_VERSION=2
V3的:
[lihui@openstack ~]$ cat v3.openrc | grep export export OS_AUTH_URL=http://192.168.100.13/identity/v3 export OS_PROJECT_ID=351726551dae40b1a6d7f4fd6cba168a export OS_PROJECT_NAME="admin" export OS_USER_DOMAIN_NAME="Default" export OS_USERNAME="admin" export OS_PASSWORD=$OS_PASSWORD_INPUT export OS_REGION_NAME="RegionOne" export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3
可见v2是熟悉的tenant和user,但v3除了版本号差异,tenant不见了,而多出了project,感觉就是tenant,但是还有一个OS_USER_DOMAIN_NAME设置的是default,这就不知道是什么了,需要研究
这里安装的已经是v3版本,keystone执行程序都没有了,因此直接修改v3的RC文件,将密码设置进去,终极版
export OS_AUTH_URL=http://192.168.100.13/identity/v3 export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_USERNAME=admin export OS_PASSWORD=lihui export OS_REGION_NAME=RegionOne export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3
获取token这下OK了
[lihui@openstack ~]$ openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2017-04-03T07:29:01+0000 | | id | 1dd4379c7c51459085a09a29f3b43292 | | project_id | 351726551dae40b1a6d7f4fd6cba168a | | user_id | 5a02a2f293434f9bb097e44ac62978e7 | +------------+----------------------------------+
这下就该干啥干啥了,比如想创建一个虚拟机玩玩,先看看他要哪些参数,至于说以前的nova,neutron都改成了openstack如何操作,自行help查找
此时没有虚拟机
[lihui@openstack ~]$ openstack server list [lihui@openstack ~]$
创建虚拟机
参数只要带flavor和镜像就行了
flavor list
[lihui@openstack ~]$ openstack flavor list +----+-----------+-------+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+-----------+-------+------+-----------+-------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | 1 | True | | 2 | m1.small | 2048 | 20 | 0 | 1 | True | | 3 | m1.medium | 4096 | 40 | 0 | 2 | True | | 4 | m1.large | 8192 | 80 | 0 | 4 | True | | 42 | m1.nano | 64 | 0 | 0 | 1 | True | | 5 | m1.xlarge | 16384 | 160 | 0 | 8 | True | | 84 | m1.micro | 128 | 0 | 0 | 1 | True | | c1 | cirros256 | 256 | 0 | 0 | 1 | True | | d1 | ds512M | 512 | 5 | 0 | 1 | True | | d2 | ds1G | 1024 | 10 | 0 | 1 | True | | d3 | ds2G | 2048 | 10 | 0 | 2 | True | | d4 | ds4G | 4096 | 20 | 0 | 4 | True | +----+-----------+-------+------+-----------+-------+-----------+
镜像
[lihui@openstack ~]$ openstack image list +--------------------------------------+---------------------------------+--------+ | ID | Name | Status | +--------------------------------------+---------------------------------+--------+ | 8586d7d8-c0ef-4c1b-a5eb-f3be792786af | cirros-0.3.4-x86_64-uec | active | | a3df6416-3670-46e0-bf19-0ea03150b599 | cirros-0.3.4-x86_64-uec-kernel | active | | 59b67f0e-3d60-416e-87ee-6c3a90963f6e | cirros-0.3.4-x86_64-uec-ramdisk | active | +--------------------------------------+---------------------------------+--------+
创建虚拟机
[lihui@openstack ~]$ openstack server create --flavor 1 --image 8586d7d8-c0ef-4c1b-a5eb-f3be792786af new-vm +-------------------------------------+----------------------------------------------------------------+ | Field | Value | +-------------------------------------+----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | aPCXoX97xYZX | | config_drive | | | created | 2017-04-03T06:50:08Z | | flavor | m1.tiny (1) | | hostId | | | id | 7c5365a6-afb3-46bd-b155-df4d7328c926 | | image | cirros-0.3.4-x86_64-uec (8586d7d8-c0ef-4c1b-a5eb-f3be792786af) | | key_name | None | | name | new-vm | | progress | 0 | | project_id | 351726551dae40b1a6d7f4fd6cba168a | | properties | | | security_groups | name='default' | | status | BUILD | | updated | 2017-04-03T06:50:10Z | | user_id | 5a02a2f293434f9bb097e44ac62978e7 | | volumes_attached | | +-------------------------------------+----------------------------------------------------------------+
可以看到创建成功
[lihui@openstack ~]$ openstack server list +--------------------------------------+--------+--------+----------+-------------------------+ | ID | Name | Status | Networks | Image Name | +--------------------------------------+--------+--------+----------+-------------------------+ | 7c5365a6-afb3-46bd-b155-df4d7328c926 | new-vm | BUILD | | cirros-0.3.4-x86_64-uec | +--------------------------------------+--------+--------+----------+-------------------------+ [lihui@openstack ~]$ openstack server list +--------------------------------------+--------+--------+--------------------------------+-------------------------+ | ID | Name | Status | Networks | Image Name | +--------------------------------------+--------+--------+--------------------------------+-------------------------+ | 7c5365a6-afb3-46bd-b155-df4d7328c926 | new-vm | ACTIVE | public=2001:db8::8, 172.24.4.3 | cirros-0.3.4-x86_64-uec | +--------------------------------------+--------+--------+--------------------------------+-------------------------+
SHOW的结果
[lihui@openstack ~]$ openstack server show 7c5365a6-afb3-46bd-b155-df4d7328c926 +-------------------------------------+----------------------------------------------------------------+ | Field | Value | +-------------------------------------+----------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | openstack | | OS-EXT-SRV-ATTR:hypervisor_hostname | openstack | | OS-EXT-SRV-ATTR:instance_name | instance-00000001 | | OS-EXT-STS:power_state | Running | | OS-EXT-STS:task_state | None | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2017-04-03T06:51:21.000000 | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | public=2001:db8::8, 172.24.4.3 | | config_drive | | | created | 2017-04-03T06:50:08Z | | flavor | m1.tiny (1) | | hostId | 653fbf0dee1be4ec302663cbb289ce3fce37cf28b36f353276a89072 | | id | 7c5365a6-afb3-46bd-b155-df4d7328c926 | | image | cirros-0.3.4-x86_64-uec (8586d7d8-c0ef-4c1b-a5eb-f3be792786af) | | key_name | None | | name | new-vm | | progress | 0 | | project_id | 351726551dae40b1a6d7f4fd6cba168a | | properties | | | security_groups | name='default' | | status | ACTIVE | | updated | 2017-04-03T06:51:22Z | | user_id | 5a02a2f293434f9bb097e44ac62978e7 | | volumes_attached | | +-------------------------------------+----------------------------------------------------------------+
看下相关port情况
[lihui@openstack ~]$ openstack port list +--------------------------------------+------+-------------------+-----------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+------+-------------------+-----------------------------------------------------------+--------+ | 43cde396-7ca6-4c3a-a7c0-ee3efa923b9e | | fa:16:3e:ea:a4:da | ip_address='172.24.4.10', subnet_id='b2060a49-c8c1-437c- | ACTIVE | | | | | bc29-74d596ba9228' | | | | | | ip_address='2001:db8::1', subnet_id='48fc2747-01de-4b12 | | | | | | -9aef-bb041ca30081' | | | 85fc242c-c210-479c-af47-af0e899efbe2 | | fa:16:3e:76:ec:be | ip_address='fd4f:6b37:826e:0:f816:3eff:fe76:ecbe', | ACTIVE | | | | | subnet_id='c2fbd298-e466-4f54-8290-9a3d2ec57d0d' | | | | | | ip_address='10.0.0.2', subnet_id='5c3c4802-5100-4d2a- | | | | | | 916a-afcfa816745d' | | | 9084ae62-4407-4531-b5dd-7020119521c3 | | fa:16:3e:81:33:92 | ip_address='fd4f:6b37:826e::1', | ACTIVE | | | | | subnet_id='c2fbd298-e466-4f54-8290-9a3d2ec57d0d' | | | a1c1fafa-b126-4181-aee2-d848069e21f0 | | fa:16:3e:45:ea:e4 | ip_address='10.0.0.1', subnet_id='5c3c4802-5100-4d2a- | ACTIVE | | | | | 916a-afcfa816745d' | | | c3bad13e-9c41-4632-a170-15c8e4ee48d7 | | fa:16:3e:b4:d8:28 | ip_address='172.24.4.3', subnet_id='b2060a49-c8c1-437c- | ACTIVE | | | | | bc29-74d596ba9228' | | | | | | ip_address='2001:db8::8', subnet_id='48fc2747-01de-4b12 | | | | | | -9aef-bb041ca30081' | | +--------------------------------------+------+-------------------+-----------------------------------------------------------+--------+
还有IPV6,看下虚拟机分配的PORT
[lihui@openstack ~]$ openstack port show c3bad13e-9c41-4632-a170-15c8e4ee48d7 +-----------------------+----------------------------------------------------------------------------+ | Field | Value | +-----------------------+----------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | openstack | | binding_profile | | | binding_vif_details | ovs_hybrid_plug='True', port_filter='True' | | binding_vif_type | ovs | | binding_vnic_type | normal | | created_at | 2017-04-03T06:50:30Z | | description | | | device_id | 7c5365a6-afb3-46bd-b155-df4d7328c926 | | device_owner | compute:None | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='172.24.4.3', subnet_id='b2060a49-c8c1-437c-bc29-74d596ba9228' | | | ip_address='2001:db8::8', subnet_id='48fc2747-01de-4b12-9aef-bb041ca30081' | | id | c3bad13e-9c41-4632-a170-15c8e4ee48d7 | | ip_address | None | | mac_address | fa:16:3e:b4:d8:28 | | name | | | network_id | 00a3be6c-635a-450e-b6fd-9b7dce921be9 | | option_name | None | | option_value | None | | port_security_enabled | True | | project_id | 351726551dae40b1a6d7f4fd6cba168a | | qos_policy_id | None | | revision_number | 10 | | security_groups | 77140086-d435-40cc-a313-e028499b3686 | | status | ACTIVE | | subnet_id | None | | updated_at | 2017-04-03T06:51:11Z | +-----------------------+----------------------------------------------------------------------------+
可以看到同一段network这里绑了两个subnet,通过network list确认
[lihui@openstack ~]$ openstack network list +--------------------------------------+---------+----------------------------------------------------------------------------+ | ID | Name | Subnets | +--------------------------------------+---------+----------------------------------------------------------------------------+ | 00a3be6c-635a-450e-b6fd-9b7dce921be9 | public | 48fc2747-01de-4b12-9aef-bb041ca30081, b2060a49-c8c1-437c-bc29-74d596ba9228 | | f54d722e-6ab9-45d3-82f6-ef8c50330f8a | private | 5c3c4802-5100-4d2a-916a-afcfa816745d, c2fbd298-e466-4f54-8290-9a3d2ec57d0d | +--------------------------------------+---------+----------------------------------------------------------------------------+
OK,玩耍结束,这里主要的做法是通过已经创建的用户,在前端进行登录之后,获取正确的RC文件,进而验证CLI相关命令
新版OpenStack都是基于V3的Keystone,新增了很多东西,比如domain,而且CLI方面以后基本都要通过调用openstack,而不去区分各个模块了
