創建雲主機流程
- 當訪問Dashboard的時候,會顯示一個登錄頁面,Dashboard會告訴你,想使用Openstack創建雲主機?那你得先把你的賬號密碼交給我,我去Keystone上驗證你的身份之後才能讓你登錄。
- Keystone接收到前端表單傳過來的域,用戶名,密碼信息以後,到數據庫查詢,確認身份後將一個Token返回給該用戶,讓這個用戶以後再進行操作的時候就不需要再提供賬號密碼,而是拿着Token來。
- Horizon拿到Token之後,找到創建雲主機的按鈕並點擊,填寫雲主機相關配置信息。點擊啓動實例後,Horizon就帶着三樣東西(創建雲主機請求、雲主機配置相關信息、Keystone返回的Token)找到Nova-API。
- Horizon要創建雲主機?你先得把你的Token交給我,我去Keystone上驗證你的身份之後纔給你創建雲主機。
- Keystone一看Token發現這不就是我剛發的那個嗎?但程序可沒這麼聰明,它還得乖乖查一次數據庫,然後告訴Nova-API,這兄弟信得過,你就照它說的做吧。
- Nova-API把Horizon給的提供的雲主機配置相關寫到數據庫(Nova-DB)。
- 數據庫(Nova-DB)寫完之後,會告訴Nova-API,哥,我已經把雲主機配置相關信息寫到我的數據庫裏啦。
- 把雲主機配置相關信息寫到數據庫之後,Nova-API會往消息隊列(RabbitMQ)裏發送一條創建雲主機的消息。告訴手下的小弟們,雲主機配置相關信息已經放在數據庫裏了,你們給安排安排咯。
- Nova-Schedular時時觀察着消息隊列裏的消息,當看到這條創建雲主機的消息之後,就要幹活咯。
- 要創建雲主機,但它要看一看雲主機都要什麼配置,纔好決定該把這事交給誰(Nova-Compute)去做,所以就去數據庫去查看了
- 數據庫收到請求之後,把要創建雲主機的配置發給Nova-Schedular
- Nova-Schedular拿到雲主機配置之後,使用調度算法決定了要讓Nova-Compute去幹這個事,然後往消息隊列裏面發一條消息,某某某Nova-Compute,就你了,給創建一臺雲主機,配置都在數據庫裏。
- Nova-Compute時時觀察着消息隊列裏的消息,當看到這條讓自己創建雲主機的消息之後,就要去幹活咯。
注意:本應該直接去數據庫拿取配置信息,但因爲Nova-Compute的特殊身份,Nova-Compute所在計算節點上全是雲主機,萬一有一臺雲主機被******從而控制計算節點,直接***是很危險的。所以不能讓Nova-Compute知道數據庫在什麼地方
- Nova-Compute沒辦法去數據庫取東西難道就不工作了嗎?那可不行啊,他不知道去哪取,但Nova-Conductor知道啊,於是Nova-Compute往消息隊列裏發送一條消息,我要雲主機的配置相關信息,Nova-Conductor您老人家幫我去取一下吧。
- Nova-Conductor時時觀察着消息隊列裏的消息,當看到Nova-Conductor發的消息之後,就要去幹活咯。
- Nova-Conductor告訴數據庫我要查看某某雲主機的配置信息。
- 數據庫把雲主機配置信息發送給Nova-Conductor。
- Nova-Conductor把雲主機配置信息發到消息隊列。
- Nova-Compute收到雲主機配置信息。
- Nova-Compute讀取雲主機配置信息一看,立馬就去執行創建雲主機了。首先去請求Glance-API,告訴Glance-API我要某某某鏡像,你給我吧。
- Glance-API可不鳥你,你是誰啊?你先得把你的Token交給我,我去Keystone上驗證你的身份之後纔給你鏡像。Keystone一看Token,兄弟,沒毛病,給他吧。
- Glance-API把鏡像資源信息返回給Nova-Compute。
- Nova-Compute拿到鏡像後,繼續請求網絡資源,首先去請求Neutron-Server,告訴Neutron-Server我要某某某網絡資源,你給我吧。
- Neutron-Server可不鳥你,你是誰啊?你先得把你的Token交給我,我去Keystone上驗證你的身份之後纔給你網絡。Keystone一看Token,兄弟,沒毛病,給他吧。
- Neutron-Server把網絡資源信息返回給Nova-Compute。
- Nova-Compute拿到網絡後,繼續請求存儲資源,首先去請求Cinder-API,告訴Cinder-API我要多少多少雲硬盤,你給我吧。
- Cinder-API可不鳥你,你是誰啊?你先得把你的Token交給我,我去Keystone上驗證你的身份之後纔給你網絡。Keystone一看Token,兄弟,沒毛病,給他吧。
- Cinder-API把存儲資源信息返回給Nova-Compute。
- Nova-Compute拿到所有的資源後(鏡像、網絡、存儲),其實Nova-Compute也沒有創建雲主機的能力,他把創建雲主機的任務交給了Libvird,然後創建雲主機(KVM/ZEN)
創建雲主機網絡
- 在控制節點上,加載admin憑證來獲取管理員能執行的命令訪問權限
[root@linux-node1 ~]# source admin-openrc
- 創建網絡
[root@linux-node1 ~]# openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat provider
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2018-01-22T06:05:17Z |
| description | |
| headers | |
| id | d8acc6f1-8aed-4f7c-a630-83225f592039 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| mtu | 1500 |
| name | provider |
| port_security_enabled | True |
| project_id | 14055178975d417987c5a94f030c7acf |
| project_id | 14055178975d417987c5a94f030c7acf |
| provider:network_type | flat |
| provider:physical_network | provider |
| provider:segmentation_id | None |
| revision_number | 4 |
| router:external | External |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | [] |
| updated_at | 2018-01-22T06:05:18Z |
+---------------------------+--------------------------------------+
[root@linux-node1 ~]# neutron net-list
+--------------------------------------+----------+---------+
| id | name | subnets |
+--------------------------------------+----------+---------+
| d8acc6f1-8aed-4f7c-a630-83225f592039 | provider | |
+--------------------------------------+----------+---------+
- 在網絡上創建一個子網
[root@linux-node1 ~]# openstack subnet create --network provider \
--allocation-pool start=192.168.56.100,end=192.168.56.200 \
--dns-nameserver 192.168.56.2 --gateway 192.168.56.2 \
--subnet-range 192.168.56.0/24 provider-subnet
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 192.168.56.100-192.168.56.200 |
| cidr | 192.168.56.0/24 |
| created_at | 2018-01-22T06:13:27Z |
| description | |
| dns_nameservers | 192.168.56.2 |
| enable_dhcp | True |
| gateway_ip | 192.168.56.2 |
| headers | |
| host_routes | |
| id | 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | provider-subnet |
| network_id | d8acc6f1-8aed-4f7c-a630-83225f592039 |
| project_id | 14055178975d417987c5a94f030c7acf |
| project_id | 14055178975d417987c5a94f030c7acf |
| revision_number | 2 |
| service_types | [] |
| subnetpool_id | None |
| updated_at | 2018-01-22T06:13:27Z |
+-------------------+--------------------------------------+
[root@linux-node1 ~]# neutron subnet-list
+--------------------------------------+-----------------+-----------------+-------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+-----------------+-----------------+-------------------------------------------+
| 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 | provider-subnet | 192.168.56.0/24 | {"start": "192.168.56.100", "end": |
| | | | "192.168.56.200"} |
+--------------------------------------+-----------------+-----------------+-------------------------------------------+
[root@linux-node1 ~]# neutron net-list
+--------------------------------------+----------+------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+------------------------------------------------------+
| d8acc6f1-8aed-4f7c-a630-83225f592039 | provider | 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 192.168.56.0/24 |
+--------------------------------------+----------+------------------------------------------------------+
創建雲主機類型
默認的最小規格的主機需要512MB內存,對於環境中計算節點內存不足4 GB的,我們推薦創建只需要64MB的keywa.com
規格的主機。若單純爲了測試的目的,請使用keywa.com
規格的主機來加載CirrOS鏡像。
[root@linux-node1 ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 keywa.com
+----------------------------+-----------+
| Field | Value |
+----------------------------+-----------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| id | 0 |
| name | keywa.com |
| os-flavor-access:is_public | True |
| properties | |
| ram | 64 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+-----------+
創建密鑰
- 導入demo項目憑證
[root@linux-node1 ~]# source demo-openrc
- 生成和添加祕鑰對
[root@linux-node1 ~]# ssh-keygen -q -N ""
Enter file in which to save the key (/root/.ssh/id_rsa):
[root@linux-node1 ~]# ls -l .ssh/
total 8
-rw------- 1 root root 1679 Jan 22 14:28 id_rsa
-rw-r--r-- 1 root root 398 Jan 22 14:28 id_rsa.pub
[root@linux-node1 ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
+-------------+-------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------+
| fingerprint | 6d:5f:c6:92:ac:5e:49:40:5c:3e:b4:14:9c:f9:59:8c |
| name | mykey |
| user_id | 48cd83bd3ce54b8ebece24680e8c8b0a |
+-------------+-------------------------------------------------+
- 驗證公鑰的添加
[root@linux-node1 ~]# openstack keypair list
+-------+-------------------------------------------------+
| Name | Fingerprint |
+-------+-------------------------------------------------+
| mykey | 6d:5f:c6:92:ac:5e:49:40:5c:3e:b4:14:9c:f9:59:8c |
+-------+-------------------------------------------------+
創建安全組規則
默認情況下,default安全組適用於所有實例並且包括拒絕遠程訪問實例的防火牆規則。對諸如CirrOS這樣的Linux鏡像,我們推薦至少允許ICMP (ping))和安全Shell(SSH)規則。
- 允許ICMP請求
[root@linux-node1 ~]# openstack security group rule create --proto icmp default
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2018-01-22T06:46:59Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | 51ed729f-b268-4a99-b8a6-3a2ba0d31c77 |
| port_range_max | None |
| port_range_min | None |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| protocol | icmp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 20346c59-a0c4-4cc3-90be-f94c3581edab |
| updated_at | 2018-01-22T06:46:59Z |
+-------------------+--------------------------------------+
- 允許安全Shell(SSH)的訪問
[root@linux-node1 ~]# openstack security group rule create --proto tcp --dst-port 22 default
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2018-01-22T06:49:46Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | 950a1be7-6fd3-4c80-ba60-7f4f0b573771 |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 20346c59-a0c4-4cc3-90be-f94c3581edab |
| updated_at | 2018-01-22T06:49:46Z |
+-------------------+--------------------------------------+
啓動雲主機實例
啓動一臺實例,您必須至少指定一個類型、鏡像名稱、網絡、安全組、密鑰和實例名稱。
- 在控制節點上,獲得admin憑證來獲取只有管理員能執行的命令的訪問權限
[root@linux-node1 ~]# source demo-openrc
- 一個實例指定了虛擬機資源的大致分配,包括處理器、內存和存儲
列出可用類型
[root@linux-node1 ~]# openstack flavor list
+----+-----------+-----+------+-----------+-------+-----------+
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+-----------+-----+------+-----------+-------+-----------+
| 0 | keywa.com | 64 | 1 | 0 | 1 | True |
+----+-----------+-----+------+-----------+-------+-----------+
列出可用鏡像
[root@linux-node1 ~]# openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| cd96090c-87ca-4eb3-b964-a7457639bc1e | cirros | active |
+--------------------------------------+--------+--------+
列出可用網絡
[root@linux-node1 ~]# openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| d8acc6f1-8aed-4f7c-a630-83225f592039 | provider | 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 |
+--------------------------------------+----------+--------------------------------------+
列出可用的安全組
[root@linux-node1 ~]# openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+
| ID | Name | Description | Project |
+--------------------------------------+---------+------------------------+----------------------------------+
| 20346c59-a0c4-4cc3-90be-f94c3581edab | default | Default security group | 8a788702c6ea46419bb85b4e4600e3c4 |
+--------------------------------------+---------+------------------------+----------------------------------+
- 啓動實例
[root@linux-node1 ~]# openstack server create --flavor keywa.com --image cirros \
--nic net-id=d8acc6f1-8aed-4f7c-a630-83225f592039 --security-group default \
--key-name mykey demo-instance
+--------------------------------------+-----------------------------------------------+
| Field | Value |
+--------------------------------------+-----------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | MowXppdE5ayJ |
| config_drive | |
| created | 2018-01-22T07:13:02Z |
| flavor | keywa.com (0) |
| hostId | |
| id | 3b5f20c8-8b17-48a2-9b72-70cc74f6fc8f |
| image | cirros (cd96090c-87ca-4eb3-b964-a7457639bc1e) |
| key_name | mykey |
| name | demo-instance |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| properties | |
| security_groups | [{u'name': u'default'}] |
| status | BUILD |
| updated | 2018-01-22T07:13:02Z |
| user_id | 48cd83bd3ce54b8ebece24680e8c8b0a |
+--------------------------------------+-----------------------------------------------+
- 檢查實例的狀態,狀態爲ACTIVE那臺虛擬機已經成功創建
[root@linux-node1 ~]# openstack server list
+--------------------------------------+---------------+--------+-------------------------+------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+---------------+--------+-------------------------+------------+
| 3b5f20c8-8b17-48a2-9b72-70cc74f6fc8f | demo-instance | ACTIVE | provider=192.168.56.110 | cirros |
+--------------------------------------+---------------+--------+-------------------------+------------+
驗證操作
- 使用SSH加密連接實例
[root@linux-node1 ~]# ssh [email protected]
The authenticity of host '192.168.56.110 (192.168.56.110)' can't be established.
RSA key fingerprint is 2f:58:9f:5e:da:c5:1f:46:43:e1:c4:64:da:ee:2e:e6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.110' (RSA) to the list of known hosts.
$
- 驗證能否ping通公有網絡的網關
$ ping -c 4 114.114.114.114
PING 114.114.114.114 (114.114.114.114): 56 data bytes
64 bytes from 114.114.114.114: seq=0 ttl=128 time=29.289 ms
64 bytes from 114.114.114.114: seq=1 ttl=128 time=29.160 ms
64 bytes from 114.114.114.114: seq=2 ttl=128 time=34.413 ms
64 bytes from 114.114.114.114: seq=3 ttl=128 time=29.153 ms
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 29.153/30.503/34.413 ms
- 驗證能否連接到互聯網
$ ping -c 4 www.baidu.com
PING www.baidu.com (14.215.177.39): 56 data bytes
64 bytes from 14.215.177.39: seq=0 ttl=128 time=12.611 ms
64 bytes from 14.215.177.39: seq=1 ttl=128 time=8.424 ms
64 bytes from 14.215.177.39: seq=2 ttl=128 time=10.575 ms
64 bytes from 14.215.177.39: seq=3 ttl=128 time=11.595 ms
--- www.baidu.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 8.424/10.801/12.611 ms
- 使用虛擬控制檯訪問實例
[root@linux-node1 ~]# openstack console url show demo-instance
+-------+------------------------------------------------------------------------------------+
| Field | Value |
+-------+------------------------------------------------------------------------------------+
| type | novnc |
| url | http://192.168.56.11:6080/vnc_auto.html?token=aff15e93-1ebe-49f3-877b-3213e6faa027 |
+-------+------------------------------------------------------------------------------------+
- 瀏覽器訪問192.168.56.11:6080/vnc_auto.html?token=aff15e93-1ebe-49f3-877b-3213e6faa027