openEuler 虚拟化环境部署

使用 VMWare Workstation 创建三台 2 CPU、8G内存、100 GB硬盘的虚拟机

|------------|-----------------|------|
| 主机 | IP | 作用 |
| Controller | 192.168.184.110 | 控制节点 |
| Compute | 192.168.184.111 | 计算节点 |
| Storage | 192.168.184.112 | 存储节 |

一基础配置

1.1 配置 yum 源

由于 openEuler 22.09 系统已经停止维护了，所以我们需要修改 yum 源为官方 Archive 的 yum 源

打开 /etc/yum.repos.d/openEuler.repo 文件，将下面所有涉及到 http://repo.openeuler.org/ 的部分改成 https://archives.openeuler.openatom.cn/

在三台机器上

$root@controller \~$ #

sed -i 's|http://repo.openeuler.org/\|https://archives.openeuler.openatom.cn/\|g' /etc/yum.repos.d/openEuler.repo

然后更新 yum 源

$root@controller \~$ # dnf update

1.2关闭防火墙等

在三台机器上

关闭防火墙

$root@controller \~$ # systemctl disable --now firewalld

关闭 SELinux

$root@controller \~$ # vi /etc/selinux/config

修改以下内容

SELINUX=disabled

修改hosts

在三台机器上

$root@controller \~$ # cat >> /etc/hosts << EOF

192.168.184.110 controller

192.168.184.111 compute

192.168.184.112 storage

EOF

此时最好重启一下机器，以便应用刚才关闭的 SELinux

1.3 时间同步

集群要求每个节点的时间要保持一致，一半由时间同步软件保证，这里使用 chrony 软件

Controller 节点

首先，安装 chrony 服务

$root@controller \~$ # dnf install -y chrony

然后，修改 /etc/chrony.conf 配置文件，新增如下内容

表示允许哪些IP从本节点同步时钟

pool ntp.aliyun.com iburst

allow 192.168.184.0/24

然后重启服务

$root@controller \~$ # systemctl restart chronyd

其他两个节点

首先一样，安装 chrony 服务

$root@compute \~$ # dnf install -y chrony

修改 /etc/chrony.conf 配置文件，修改内容如下

$root@compute \~$ # vi /etc/chrony.conf

pool pool.ntp.org iburst

↑ 注释掉这行

$root@compute \~$ # echo "server 192.168.184.110 iburst" >> /etc/chrony.conf

然后重启服务

$root@compute \~$ # systemctl restart chronyd

配置完成后，检查一下结果，在其他非controller节点执行

$root@compute \~$ # chronyc sources

返回结果如下所示，表示成功从 controller 同步时间

1.4安装数据库

数据库需要安装在 Controller 节点，这里我们选用 MariaDB 作为我们的数据库

首先安装 MariaDB

$root@controller \~$ # dnf install mysql-config mariadb mariadb-server python3-PyMySQL -y

新增配置文件 /etc/my.cnf.d/openstack.cnf 内容如下所示

$root@controller \~$ # vi /etc/my.cnf.d/openstack.cnf

mysqld

bind-address = 192.168.184.110

default-storage-engine = innodb

innodb_file_per_table = on

max_connections = 4096

collation-server = utf8_general_ci

character-set-server = utf8

然后启动服务器

$root@controller \~$ # systemctl start mariadb

然后初始化数据库

$root@controller \~$ # mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current

password for the root user. If you've just installed MariaDB, and

haven't set the root password yet, you should just press enter here.

这里输入密码，由于我们是初始化MariaDB，直接回车就行

Enter current password for root (enter for none):

OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody

can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

这里根据提示输入N

Switch to unix_socket authentication $Y/n$ n

... skipping.

You already have your root account protected, so you can safely answer 'n'.

输入Y，修改密码

Change the root password? $Y/n$ y

这里输入两次密码

New password:

Re-enter new password:

Password updated successfully!

Reloading privilege tables..

... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

to log into MariaDB without having to have a user account created for

them. This is intended only for testing, and to make the installation

go a bit smoother. You should remove them before moving into a

production environment.

输入Y，删除匿名用户

Remove anonymous users? $Y/n$ y

... Success!

Normally, root should only be allowed to connect from 'localhost'. This

ensures that someone cannot guess at the root password from the network.

输入Y，关闭root远程登录权限

Disallow root login remotely? $Y/n$ y

... Success!

By default, MariaDB comes with a database named 'test' that anyone can

access. This is also intended only for testing, and should be removed

before moving into a production environment.

输入Y，删除test数据库

Remove test database and access to it? $Y/n$ y

Dropping test database...

... Success!

Removing privileges on test database...

... Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

输入Y，重载配置

Reload privilege tables now? $Y/n$ y

... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB

installation should now be secure.

Thanks for using MariaDB!

然后我们来验证一下

$root@controller \~$ # mysql -uroot -p

输入密码

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 11

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ >

1.5 安装消息队列

消息队列安装在 Controller 节点，这里使用 rabbitmq 作为消息队列

首先，来安装软件包

$root@controller \~$ # dnf install rabbitmq-server -y

然后启动服务

$root@controller \~$ # systemctl start rabbitmq-server

然后配置openstack用户，RABBIT_PASS是openstack服务登录消息队里的密码，需要和后面各个服务的配置保持一致

$root@controller \~$ # rabbitmqctl add_user openstack 000000

$root@controller \~$ # rabbitmqctl set_permissions openstack ".*" ".*" ".*"

这里面的 000000 是 RABBIT_PASS，可以自己改，但是一定要记住

1.6 安装缓存服务

消息队列安装在 Controller 节点，这里使用 Memcached

首先，安装软件包

$root@controller \~$ # dnf install memcached python3-memcached -y

修改配置文件 /etc/sysconfig/memcached

$root@controller \~$ # vi /etc/sysconfig/memcached

PORT="11211"

USER="memcached"

MAXCONN="1024"

CACHESIZE="64"

OPTIONS="-1 127.0.0.1,::1,controller"

然后启动服务

$root@controller \~$ # systemctl start memcached

二部署服务

2.1 Keystone

Keystone 是 OpenStack 的身份服务（Identity Service），它负责管理用户、角色、项目（租户）和域的认证和授权。Keystone 是 OpenStack 的核心组件之一，所有其他 OpenStack 服务都依赖于 Keystone 来进行用户身份验证和授权，必须安装。

Controller 节点

首先创建 Keystone 数据库并授权

$root@controller \~$ # mysql -uroot -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 13

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ > CREATE DATABASE keystone;

Query OK, 1 row affected (0.009 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000 ';

Query OK, 0 rows affected (0.013 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.002 sec)

MariaDB $(none)$ > exit

Bye

然后安装软件包

$root@controller \~$ # dnf install openstack-keystone httpd mod_wsgi -y

然后配置 Keystone 配置文件

$root@controller \~$ # vi /etc/keystone/keystone.conf

配置数据库入口

database

connection = mysql+pymysql://keystone:000000@controller/keystone

配置token provider

token

provider = fernet

然后同步数据库

$root@controller \~$ # su -s /bin/sh -c "keystone-manage db_sync" keystone

然后初始化 Fernet 密钥仓库

$root@controller \~$ # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

$root@controller \~$ # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

然后启动服务

$root@controller \~$ # keystone-manage bootstrap --bootstrap-password 000000 \

--bootstrap-admin-url http://controller:5000/v3/ \

--bootstrap-internal-url http://controller:5000/v3/ \

--bootstrap-public-url http://controller:5000/v3/ \

--bootstrap-region-id RegionOne

然后配置 Apache HTTP Server

打开 httpd.conf 文件配置

$root@controller \~$ # vi /etc/httpd/conf/httpd.conf

修改以下项，如果没有则新添加

ServerName controller

然后创建软连接

$root@controller \~$ # ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

然后启动 Apache HTTP 服务

$root@controller \~$ # systemctl enable --now httpd.service

$root@controller \~$ # systemctl status httpd.service

然后创建环境变量配置

$root@controller \~$ # cat << EOF >> ~/.admin-openrc

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=000000

export OS_AUTH_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

EOF

然后一次创建 domain, projects, users, roles

但是首先需要安装 python3-openstackclient

$root@controller \~$ # dnf install python3-openstackclient -y

然后导入环境

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

创建 Project Service，其中 Domain Default 在 Keystone-mange bootstrap 时已创建

$root@controller \~$ # openstack domain create --description "An Example Domain" example

$root@controller \~$ # openstack project create --domain default --description "Service Project" service

创建（non-admin）project myproject，user myuser 和 role myrole，为 myproject 和 myuser 添加角色myrole

$root@controller \~$ # openstack project create --domain default --description "Demo Project" myproject

$root@controller \~$ # openstack user create --domain default --password-prompt myuser

密码：000000

$root@controller \~$ # openstack role create myrole

将角色 myrole 分配给用户 myuser，并关联到项目 myproject，并验证角色是否已成功分配

$root@controller \~$ # openstack role add --project myproject --user myuser myrole

$root@controller \~$ # openstack role assignment list --project myproject --user myuser

然后对此进行验证

取消临时环境变量 OS_AUTH_URL和OS_PASSWORD

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # unset OS_AUTH_URL OS_PASSWORD

为 admin 用户请求 token

$root@controller \~$ # openstack --os-auth-url http://controller:5000/v3 \

--os-project-domain-name Default --os-user-domain-name Default \

--os-project-name admin --os-username admin token issue

Password: 000000

为 myuser 用户请求 token

$root@controller \~$ # openstack --os-auth-url http://controller:5000/v3 \

--os-project-domain-name Default --os-user-domain-name Default \

--os-project-name myproject --os-username myuser token issue

Password: 000000

2.2 Glance

Glance 是 OpenStack 中的镜像服务（Image Service），负责管理和存储虚拟机镜像。它允许用户上传、下载、删除和查询虚拟机镜像，并支持多种镜像格式（如 QCOW2、RAW、VMDK 等）。Glance 是 OpenStack 计算服务（Nova）的核心组件之一，为虚拟机提供启动镜像，必须安装

Controller 节点

首先创建 glance 数据库并授权

$root@controller \~$ # mysql -u root -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 30

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ > CREATE DATABASE glance;

Query OK, 1 row affected (0.011 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY '000000 ';

Query OK, 0 rows affected (0.018 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.011 sec)

MariaDB $(none)$ > exit

Bye

初始化 glance 资源对象

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

创建用户时，命令行会提示输入密码，请输入自定义的密码

$root@controller \~$ # openstack user create --domain default --password-prompt glance

User Password: 000000

Repeat User Password: 000000

添加 glance 用户到 Service Project 并指定 admin 角色

$root@controller \~$ # openstack role add --project service --user glance admin

创建 glance 服务实例

$root@controller \~$ # openstack service create --name glance --description "OpenStack Image" image

创建 glance API 服务

$root@controller \~$ # openstack endpoint create --region RegionOne image public http://controller:9292

$root@controller \~$ # openstack endpoint create --region RegionOne image internal http://controller:9292

$root@controller \~$ # openstack endpoint create --region RegionOne image admin http://controller:9292

然后安装软件包

$root@controller \~$ # dnf install openstack-glance -y

然后修改 glance 配置文件

$root@controller \~$ # vi /etc/glance/glance-api.conf

添加/修改以下内容

database

connection = mysql+pymysql://glance:000000@controller/glance

keystone_authtoken

www_authenticate_uri = http://controller:5000

auth_url = http://controller:5000

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = glance

password = 000000

paste_deploy

flavor = keystone

glance_store

stores = file,http

default_store = file

filesystem_store_datadir = /var/lib/glance/images/

启动数据库

$root@controller \~$ # su -s /bin/sh -c "glance-manage db_sync" glance

然后启动服务

$root@controller \~$ # systemctl enable --now openstack-glance-api.service

然后导入环境变量并验证

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

然后下载镜像

$root@controller \~$ # wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img

然后再向 Image 服务上传镜像

$root@controller \~$ # openstack image create --disk-format qcow2 --container-format bare \

--file cirros-0.4.0-x86_64-disk.img --public cirros

确认镜像上传并验证属性

$root@controller \~$ # openstack image list

2.3 Placement

Placement 是 OpenStack 中的一个核心服务，主要负责资源调度和分配。它是 OpenStack 计算服

务（Nova）的重要组成部分，用于管理计算节点的资源（如 CPU、内存、存储等），并确保资源的有效利用和负载均衡

Controller 节点

安装、配置Placement服务前，需要先创建相应的数据库、服务凭证和API endpoints

$root@controller \~$ # mysql -u root -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 49

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ > CREATE DATABASE placement;

Query OK, 1 row affected (0.010 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.055 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.005 sec)

MariaDB $(none)$ > exit

Bye

然后配置用户和Endpoint

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

创建 placement 用户并设置用户密码

$root@controller \~$ # openstack user create --domain default --password-prompt placement

User Password: 000000

Repeat User Password: 000000

添加placement用户到service project并指定admin角色

$root@controller \~$ # openstack role add --project service --user placement admin

创建 plancement 服务实体

$root@controller \~$ # openstack service create --name placement \

--description "Placement API" placement

创建 Plance API 服务 Endpoints

$root@controller \~$ # openstack endpoint create --region RegionOne \

placement public http://controller:8778

$root@controller \~$ # openstack endpoint create --region RegionOne \

placement internal http://controller:8778

$root@controller \~$ # openstack endpoint create --region RegionOne \

placement admin http://controller:8778

然后安装相关软件包

$root@controller \~$ # dnf install openstack-placement-api -y

编辑 /etc/placement/placement.conf配置文件

$root@controller \~$ # vi /etc/placement/placement.conf

placement_database

connection = mysql+pymysql://placement:000000@controller/placement

api

auth_strategy = keystone

keystone_authtoken

auth_url = http://controller:5000/v3

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = placement

password = 000000

数据库同步，填充 Placement 数据库

$root@controller \~$ # su -s /bin/sh -c "placement-manage db sync" placement

然后通过重启 httpd 服务来启动服务

$root@controller \~$ # systemctl restart httpd

然后我们来验证一下

通过 source admin 凭证，以获取 admin 命令行权限

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

执行状态检查

$root@controller \~$ # placement-status upgrade check

这里可以看到Policy File JSON to YAML Migration的结果为Failure

这是因为在Placement中，JSON格式的policy文件从Wallaby版本开始已处于deprecated状态

可以参考提示，使用oslopolicy-convert-json-to-yaml工具将现有的JSON格式policy文件转化为YAML格式

$root@controller \~$ # oslopolicy-convert-json-to-yaml --namespace placement \

--policy-file /etc/placement/policy.json \

--output-file /etc/placement/policy.yaml

$root@controller \~$ # mv /etc/placement/policy.json{,.bak}

注：当前环境中此问题可忽略，不影响运行。

然后针对 placement API 运行命令

首先来安装 osc-placement 插件

$root@controller \~$ # dnf install python3-osc-placement -y

然后列出可用的资源类别以及特性

$root@controller \~$ # openstack --os-placement-api-version 1.2 resource class list --sort-column name

$root@controller \~$ # openstack --os-placement-api-version 1.6 trait list --sort-column name

2.4 Nova

Nova 是 OpenStack 中的核心组件之一，负责管理虚拟机实例（VM）的生命周期

它提供了虚拟机的创建、调度、启动、停止、重启、删除等功能

Nova 依赖于其他 OpenStack 组件（如 Keystone 用于身份认证，Glance 用于镜像管理，Neutron 用于网络管理等）来完成其工作

Controller节点

安装、配置Placement服务前，需要先创建相应的数据库、服务凭证和API endpoints

$root@controller \~$ # mysql -u root -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 24

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ > CREATE DATABASE nova_api;

Query OK, 1 row affected (0.000 sec)

MariaDB $(none)$ > CREATE DATABASE nova;

Query OK, 1 row affected (0.000 sec)

MariaDB $(none)$ > CREATE DATABASE nova_cell0;

Query OK, 1 row affected (0.000 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > exit

Bye

然后配置用户和 Engpoints

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

创建nova用户并设置用户密码

$root@controller \~$ # openstack user create --domain default --password-prompt nova

User Password:000000

Repeat User Password:000000

然后添加nova用户到service project并指定admin角色

$root@controller \~$ # openstack role add --project service --user nova admin

创建nova服务实体

$root@controller \~$ # openstack service create --name nova --description "OpenStack Compute" compute

创建NovaAPI服务endpoints

$root@controller \~$ # openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1

$root@controller \~$ # openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1

$root@controller \~$ # openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1

然后安装及配置组件

$root@controller \~$ # dnf install openstack-nova-api openstack-nova-conductor openstack-nova-novncproxy openstack-nova-scheduler -y

编辑 /etc/nova/nova.conf 配置文件

$root@controller\~$ # vi /etc/nova/nova.conf

DEFAULT

enabled_apis = osapi_compute,metadata

transport_url = rabbit://openstack:000000@controller:5672/

my_ip = 192.168.184.110

log_dir = /var/log/nova

api

auth_strategy = keystone

api_database

connection = mysql+pymysql://nova:000000@controller/nova_api

database

connection = mysql+pymysql://nova:000000@controller/nova

keystone_authtoken

auth_url = http://controller:5000/v3

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = nova

password = 000000

vnc

enabled = true/

server_listen = $my_ip

server_proxyclient_address = $my_ip

glance

api_servers = http://controller:9292

oslo_concurrency

lock_path = /var/lib/nova/tmp

placement

region_name = RegionOne

project_domain_name = Default

project_name = service

auth_type = password

user_domain_name = Default

auth_url = http://controller:5000/v3

username = placement

password = 000000

然后同步数据库

首先同步nova-api数据库

$root@controller \~$ # su -s /bin/sh -c "nova-manage api_db sync" nova

$root@controller \~$ # su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova

注册cell1 cell

$root@controller \~$ # su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova

同步nova数据库

$root@controller \~$ # su -s /bin/sh -c "nova-manage db sync" nova

验证cell0和cell1注册正确

$root@controller \~$ # su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova

然后启动服务

$root@controller \~$ # systemctl enable --now \

openstack-nova-api.service \

openstack-nova-scheduler.service \

openstack-nova-conductor.service \

openstack-nova-novncproxy.service

Compute节点

首先让我们来安装软件包

$root@compute \~$ # dnf install openstack-nova-compute -y

编辑 /etc/nova/nova.conf 配置文件

$root@compute \~$ # vi /etc/nova/nova.conf

DEFAULT

enabled_apis = osapi_compute,metadata

transport_url = rabbit://openstack:000000@controller:5672

/my_ip = 192.168.184.111

compute_driver = libvirt.LibvirtDriver

instances_path = /var/lib/nova/instances

log_dir = /var/log/nova

api

auth_strategy = keystone

keystone_authtoken

auth_url = http://controller:5000/v3

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = nova

password = 000000

vnc

enabled = true

server_listen = $my_ip

server_proxyclient_address = $my_ip

novncproxy_base_url = http://controller:6080/vnc_auto.html

glance

api_servers = http://controller:9292

oslo_concurrency

lock_path = /var/lib/nova/tmp

placement

region_name = RegionOne

project_domain_name = Default

project_name = service

auth_type = password

user_domain_name = Default

auth_url = http://controller:5000/v3

username = placement

password = 000000

根据情况需要可以省略的步骤

然后确认compute节点是否支持虚拟机硬件加速（x86_64-Intel）

处理器为x86_64架构时，可通过运行如下命令确认是否支持硬件加速：

$root@compute \~$ # egrep -c '(vmx|svm)' /proc/cpuinfo

如果返回值为0则不支持硬件加速，需要配置libvirt使用QEMU而不是默认的KVM。编辑 /etc/nova/nova.conf 的 $libvirt$ 部分：

$root@compute \~$ # vi /etc/nova/nova.conf

libvirt

virt_type = qemu

如果返回值为1或更大的值，则支持硬件加速，不需要进行额外的配置。

确认计算节点是否支持虚拟机硬件加速（arm64-AMD）

处理器为arm64架构时，可通过运行如下命令确认是否支持硬件加速

$root@compute \~$ # virt-host-validate

该命令由libvirt提供，此时libvirt应已作为openstack-nova-compute依赖被安装，环境中已有此命令

显示FAIL时，表示不支持硬件加速，需要配置libvirt使用QEMU而不是默认的KVM。

QEMU: Checking if device /dev/kvm exists: FAIL (Check that CPU and firmware supports virtualization and kvm module is loaded)

编辑/etc/nova/nova.conf的 $libvirt$ 部分

$root@compute \~$ # /etc/nova/nova.conf

libvirt

virt_type = qemu

显示PASS时，表示支持硬件加速，不需要进行额外的配置。

QEMU: Checking if device /dev/kvm exists: PASS

配置qemu（仅arm64）

仅当处理器为arm64架构时需要执行此操作。

编辑/etc/libvirt/qemu.conf

$root@compute \~$ # vi /etc/libvirt/qemu.conf

nvram = ["/usr/share/AAVMF/AAVMF_CODE.fd: \

/usr/share/AAVMF/AAVMF_VARS.fd", \

"/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw: \

/usr/share/edk2/aarch64/vars-template-pflash.raw"]

编辑/etc/qemu/firmware/edk2-aarch64.json

$root@compute \~$ # vi /etc/qemu/firmware/edk2-aarch64.json

{

"description": "UEFI firmware for ARM64 virtual machines",

"interface-types": [

"uefi"

"mapping": {

"device": "flash",

"executable": {

"filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw",

"format": "raw"

"nvram-template": {

"filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",

"format": "raw"

}

"targets": [

{

"architecture": "aarch64",

"machines": [

"virt-*"

]

}

"features": [

"tags": [

]}

继续步骤

启动服务

$root@compute \~$ # systemctl enable --now libvirtd.service openstack-nova-compute.service

Controller节点

然后回到 Controller 节点，添加计算节点到 OpenStack 集群

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

确认 nova-compute 服务已识别到数据库中

$root@controller \~$ # openstack compute service list --service nova-compute

发现计算节点，将计算节点添加到cell数据库

$root@controller \~$ # su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova

然后验证一下

首先列出服务组件，验证每个流程都成功启动和注册

$root@controller \~$ # openstack compute service list

然后列出身份服务中的API端点，验证身份服务的连接

$root@controller \~$ # openstack catalog list

之后列出镜像服务中的镜像，验证与镜像服务的连接

$root@controller \~$ # openstack image list

最后验证一下 cells 是否运作成功，以及其他必要条件是否已具备

$root@controller \~$ # nova-status upgrade check

2.5 Neutron

Neutron 是 OpenStack 中的网络服务组件，负责为 OpenStack 环境提供网络连接和 IP 地址管理

它允许用户创建和管理虚拟网络、子网、路由器、安全组等网络资源，从而为虚拟机（VM）提供网络功能

Controller节点

首先创建 keystone 数据库并授权

$root@controller \~$ # mysql -u root -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 61

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ > CREATE DATABASE neutron;

Query OK, 1 row affected (0.000 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > exit

Bye

设置环境变量

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # env | grep OS_

创建用户和服务

$root@controller \~$ # openstack user create --domain default --password-prompt neutron

User Password:000000

Repeat User Password:000000

$root@controller \~$ # openstack role add --project service --user neutron admin

$root@controller \~$ # openstack service create --name neutron --description "OpenStack Networking" network

部署Neutron API服务

$root@controller \~$ # openstack endpoint create --region RegionOne network public http://controller:9696

$root@controller \~$ # openstack endpoint create --region RegionOne network internal http://controller:9696

$root@controller \~$ # openstack endpoint create --region RegionOne network admin http://controller:9696

之后安装软件包

$root@controller \~$ # dnf install -y openstack-neutron openstack-neutron-linuxbridge ebtables ipset openstack-neutron-ml2 -y

配置Neutron

$root@controller \~$ # vi /etc/neutron/neutron.conf

database

connection = mysql+pymysql://neutron:000000@controller/neutron

DEFAULT

core_plugin = ml2

service_plugins = router

allow_overlapping_ips = true

transport_url = rabbit://openstack:000000@controller

auth_strategy = keystone

notify_nova_on_port_status_changes = true

notify_nova_on_port_data_changes = true

keystone_authtoken

www_authenticate_uri = http://controller:5000

auth_url = http://controller:5000

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = neutron

password = 000000

nova

auth_url = http://controller:5000

auth_type = password

project_domain_name = Default

user_domain_name = Default

region_name = RegionOne

project_name = service

username = nova

password = 000000

oslo_concurrency

lock_path = /var/lib/neutron/tmp

配置ML2，ML2，具体配置可以根据需求自行修改，这里使用的是provider network + linuxbridge**

修改/etc/neutron/plugins/ml2/ml2_conf.ini（直接添加）

$root@controller \~$ # vi /etc/neutron/plugins/ml2/ml2_conf.ini

ml2

type_drivers = flat,vlan,vxlan

tenant_network_types = vxlan

mechanism_drivers = linuxbridge,l2population

extension_drivers = port_security

ml2_type_flat

flat_networks = provider

ml2_type_vxlan

vni_ranges = 1:1000

securitygroup

enable_ipset = true

修改/etc/neutron/plugins/ml2/linuxbridge_agent.ini（直接添加）

$root@controller \~$ # vi /etc/neutron/plugins/ml2/linuxbridge_agent.ini

linux_bridge

physical_interface_mappings = provider:ens33

vxlan

enable_vxlan = true

local_ip = 192.168.184.110

l2_population = true

securitygroup

enable_security_group = true

firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

配置Layer-3代理

修改 /etc/neutron/l3_agent.ini

$root@controller \~$ # vi /etc/neutron/l3_agent.ini

DEFAULT

interface_driver = linuxbridge

配置DHCP代理修改 /etc/neutron/dhcp_agent.ini

$root@controller \~$ # vi /etc/neutron/dhcp_agent.ini

DEFAULT

interface_driver = linuxbridge

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq

enable_isolated_metadata = true

配置metadata代理

修改 /etc/neutron/metadata_agent.ini

$root@controller \~$ # vi /etc/neutron/metadata_agent.ini

DEFAULT

nova_metadata_host = controller

metadata_proxy_shared_secret = METADATA_SECRET

配置nova服务使用neutron，修改 /etc/nova/nova.conf

$root@controller \~$ # vi /etc/nova/nova.conf

neutron

auth_url = http://controller:5000

auth_type = password

project_domain_name = default

user_domain_name = default

region_name = RegionOne

project_name = service

username = neutron

password = 000000

service_metadata_proxy = true

metadata_proxy_shared_secret = METADATA_SECRET

创建 /etc/neutron/plugin.ini的符号链接

$root@controller \~$ # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

然后同步数据库

$root@controller \~$ # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron

然后重启nova api服务

$root@controller \~$ # systemctl restart openstack-nova-api

最后启动网络服务

$root@controller \~$ # systemctl enable --now neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service

Compute节点

首先安装软件包

$root@compute \~$ # dnf install openstack-neutron-linuxbridge ebtables ipset -y

然后配置Neutron

修改 /etc/neutron/neutron.conf

$root@compute \~$ # vi /etc/neutron/neutron.conf

DEFAULT

transport_url = rabbit://openstack:000000@controller

auth_strategy = keystone

keystone_authtoken

www_authenticate_uri = http://controller:5000

auth_url = http://controller:5000

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = neutron

password = 000000

oslo_concurrency

lock_path = /var/lib/neutron/tmp

修改 /etc/neutron/plugins/ml2/linuxbridge_agent.ini

$root@compute \~$ # vi /etc/neutron/plugins/ml2/linuxbridge_agent.ini

linux_bridge

physical_interface_mappings = provider:ens33

vxlan

enable_vxlan = true

local_ip = 192.168.184.111

l2_population = true

securitygroup

enable_security_group = true

firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

配置nova compute服务使用neutron，修改 /etc/nova/nova.conf

$root@compute \~$ # vi /etc/nova/nova.conf

neutron

auth_url = http://controller:5000

auth_type = password

project_domain_name = default

user_domain_name = default

region_name = RegionOne

project_name = service

username = neutron

password = 000000

然后重启nova-compute服务

$root@compute \~$ # systemctl restart openstack-nova-compute.service

最后启动服务

$root@compute \~$ # systemctl enable --now neutron-linuxbridge-agent

$root@compute \~$ # systemctl status neutron-linuxbridge-agent

2.6 Cinder

Cinder 是 OpenStack 项目中的一个核心组件，负责块存储（Block Storage）服务。

它是 OpenStack 的存储服务模块，允许用户创建和管理持久化的块存储卷（volumes），这些卷可以附加到虚拟机（VMs）上，作为虚拟机的存储设备

Controller节点

首先创建cinder数据库

$root@controller \~$ # mysql -u root -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 155

Server version: 10.5.16-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB $(none)$ > CREATE DATABASE cinder;

Query OK, 1 row affected (0.000 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY '000000';

Query OK, 0 rows affected (0.001 sec)

MariaDB $(none)$ > exit

Bye

初始化Keystone资源对象

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # openstack user create --domain default --password-prompt cinder

User Password:000000

Repeat User Password:000000

$root@controller \~$ # openstack role add --project service --user cinder admin

$root@controller \~$ # openstack service create --name cinderv3 --description "OpenStack Block Storage" volumev3

$root@controller \~$ # openstack endpoint create --region RegionOne volumev3 public http://controller:8776/v3/%\$project_id\$s

$root@controller \~$ # openstack endpoint create --region RegionOne volumev3 internal http://controller:8776/v3/%\$project_id\$s

然后安装软件包

$root@controller \~$ # dnf install openstack-cinder-api openstack-cinder-scheduler -y

修改cinder配置文件 /etc/cinder/cinder.conf

$root@controller \~$ # vi /etc/cinder/cinder.conf

DEFAULT

transport_url = rabbit://openstack:000000@controller

auth_strategy = keystone

my_ip = 192.168.184.110

database

connection = mysql+pymysql://cinder:000000@controller/cinder

keystone_authtoken

www_authenticate_uri = http://controller:5000

auth_url = http://controller:5000

memcached_servers = controller:11211

auth_type = password

project_domain_name = Default

user_domain_name = Default

project_name = service

username = cinder

password = 000000

oslo_concurrency

lock_path = /var/lib/cinder/tmp

数据库同步

$root@controller \~$ # su -s /bin/sh -c "cinder-manage db sync" cinder

修改nova配置 /etc/nova/nova.conf

$root@controller \~$ # vi /etc/nova/nova.conf

cinder

os_region_name = RegionOne

启动服务

$root@controller \~$ # systemctl restart openstack-nova-api

$root@controller \~$ # systemctl enable --now openstack-cinder-api openstack-cinder-scheduler

$root@controller \~$ # systemctl status openstack-cinder-api openstack-cinder-scheduler

Storage节点

Storage节点要提前准备至少一块硬盘，作为cinder的存储后端

下文默认storage节点已经存在一块未使用的硬盘，设备名称为 /dev/sdb

首先来安装软件包

$root@storage \~$ # dnf install lvm2 device-mapper-persistent-data scsi-target-utils rpcbind nfs-utils openstack-cinder-volume openstack-cinder-backup -y

然后配置lvm卷组

$root@storage \~$ # pvcreate /dev/sdb

$root@storage \~$ # vgcreate cinder-volumes /dev/sdb

修改cinder配置 /etc/cinder/cinder.conf

$root@storage \~$ # vi /etc/cinder/cinder.conf

DEFAULT

transport_url = rabbit://openstack:000000@controller

auth_strategy = keystone

my_ip = 192.168.184.112

enabled_backends = lvm

glance_api_servers = http://controller:9292

keystone_authtoken

www_authenticate_uri = http://controller:5000

auth_url = http://controller:5000

memcached_servers = controller:11211

auth_type = password

project_domain_name = default

user_domain_name = default

project_name = service

username = cinder

password = 000000

database

connection = mysql+pymysql://cinder:000000@controller/cinder

lvm

volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver

volume_group = cinder-volumes

target_protocol = iscsi

target_helper = lioadm

oslo_concurrency

lock_path = /var/lib/cinder/tmp

然后启动服务

$root@storage \~$ # systemctl start openstack-cinder-volume target

$root@storage \~$ # systemctl start openstack-cinder-backup

然后我们回到 Controller 节点验证一下是否正确

$root@controller \~$ # source ~/.admin-openrc

$root@controller \~$ # openstack volume service list

创建一个卷来验证配置是否正确

$root@controller \~$ # openstack volume create --size 1 test-volume

$root@controller \~$ # openstack volume list

2.7 Horizon

Horizon是OpenStack提供的前端页面，可以让用户通过网页鼠标的操作来控制OpenStack集群，而不用繁琐的CLI命令行。Horizon一般部署在控制节点。

在 Controller 节点进行操作

首先来安装软件包

$root@controller \~$ # dnf install openstack-dashboard -y

然后修改配置文件 /etc/openstack-dashboard/local_settings

$root@controller \~$ # vi /etc/openstack-dashboard/local_settings

OPENSTACK_HOST = "controller"

ALLOWED_HOSTS = $'\*',$

OPENSTACK_KEYSTONE_URL = "http://controller:5000/v3"

SESSION_ENGINE = 'django.contrib.sessions.backends.cache'

CACHES = {

'default': {

'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',

'LOCATION': 'controller:11211',

}

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"

OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"

WEBROOT = '/dashboard'

POLICY_FILES_PATH = "/etc/openstack-dashboard"

OPENSTACK_API_VERSIONS = {

"identity": 3,

"image": 2,

"volume": 3,

}

然后重启服务

$root@controller \~$ # systemctl restart httpd

至此，Horizon服务的部署已全部完成，打开浏览器，输入http://192.168.184.110/dashboard，打开horizon登录页面。

点击"登入"按钮登陆 Dashboard 操作界面

功能验证

账户管理模块

在Dashboard操作界面中单击"身份管理→用户"，单击右上角的"创建用户"按钮，进入创建用户界面，在输入对应参数之后，单击"创建用户"按钮，创建用户

返回主界面，在Dashboard操作界面的用户列表中可以查看到创建成功的用户

使用远程工具连接controller节点，可以查看到创建的用户列表

$root@controller \~$ # openstack user list | grep GCX

可以使用openstack user show命令，查询openstack-test用户详细信息

$root@controller \~$ # openstack user show GCX

镜像模块

在Dashboard操作界面中单击"管理员→计算→镜像→创建镜像"，进入镜像创建界面，在创建镜像界面中，可以自定义镜像名称，并且添加本地镜像文件（cirros-0.3.4-x86_64-disk.img）

在设置镜像格式为QCOW2后，可以根据其他相应要求进行配置，最后单击"创建镜像"按钮来完成镜像的创建。

网络模块

在Dashboard操作界面中单击"网络"，根据要求创建相应的网络"testnet"

下拉框选择项目"admin"，勾选"共享的"以及"外部网络"选项，使云主机能够连通外网

然后单击"下一步"按钮，进入创建子网界面，填写子网名称testsubnet，网络地址192.168.184.115/24，网关IP为192.168.184.2

然后单击"下一步"按钮，进入最后的确认界面，单击"创建网络"按钮

云主机模块

为了顺利创建实例，还需要提前创建实例类型。

在Dashboard操作界面中单击"管理员→计算→实例类型"，然后单击"创建实例类型"按钮，在弹出的窗口输入相应的属性参数，名称为"test"，vCPU数量1，内存512M，根磁盘1GB

最后单击右下方"创建实例类型"按钮即可完成创建

在以上几个模块都完成之后，就可以创建实例来使用。如果缺少了上述任何一个操作，都可能使实例创建失败

在Dashboard操作界面中单击"项目→计算→实例"按钮，单击右方"创建实例"按钮，进入创建实例界面，输入实例名称"test-instance"

接下来依次选择上述模块创建的 "源*" "实例类型*" "网络"，单击"创建实例"按钮，完成实例的创建

创建完成后，等待片刻，即可在云主机列表中看到云主机 "test-instance" 正在运行中

选择当前实例 "Actions" 下拉列表中的 "控制台" 选项，进入云主机控制台界面，按照提示输入正确的登录名及密码，即可成功登录云主机

基于 openEuler 22.09 的 OpenStack Yoga 部署

openEuler 虚拟化环境部署

一 基础配置

1.1 配置 yum 源

然后更新 yum 源

1.2关闭防火墙等

关闭防火墙

关闭 SELinux

修改以下内容

1.3 时间同步

表示允许哪些IP从本节点同步时钟

pool pool.ntp.org iburst

1.4安装数据库

这里输入密码，由于我们是初始化MariaDB，直接回车就行

这里根据提示输入N

输入Y，修改密码

这里输入两次密码

输入Y，删除匿名用户

输入Y，关闭root远程登录权限

输入Y，删除test数据库

输入Y，重载配置

输入密码

1.5 安装消息队列

1.6 安装缓存服务

二 部署服务

2.1 Keystone

配置数据库入口

配置token provider

修改以下项，如果没有则新添加

2.2 Glance

添加/修改 以下内容

2.3 Placement

2.4 Nova

Controller节点

Compute节点

根据情况需要可以省略的步骤

继续步骤

Controller节点

2.5 Neutron

Controller节点

Compute节点

2.6 Cinder

Controller节点

Storage节点

2.7 Horizon

功能验证

一基础配置

二部署服务

添加/修改以下内容