从零到云:用OpenStack Train版在CentOS 7上搭建你的第一个私有云实验环境

张开发
2026/4/18 23:11:23 15 分钟阅读

最新文章

推荐文章

相关文章

分享文章

从零到云:用OpenStack Train版在CentOS 7上搭建你的第一个私有云实验环境
从零到云用OpenStack Train版在CentOS 7上搭建你的第一个私有云实验环境云计算技术正在重塑现代IT基础设施的构建方式而OpenStack作为最受欢迎的开源云平台之一为开发者提供了构建私有云的强大工具。本文将带你从零开始在CentOS 7系统上使用OpenStack Train版本搭建一个精简但功能完整的实验环境。不同于全面的生产级部署我们聚焦于最小可用集概念仅安装核心服务让你在最短时间内体验OpenStack的基本功能。1. 环境准备与基础配置搭建OpenStack实验环境的第一步是准备合适的硬件和操作系统基础。对于个人学习和小团队测试一台配置适中的物理机或虚拟机就能满足需求。建议系统配置至少4核CPU、8GB内存和100GB存储空间这样的配置足以运行基础服务并启动几个测试实例。CentOS 7作为稳定可靠的Linux发行版是OpenStack部署的理想选择。在开始安装前需要确保系统已更新至最新状态sudo yum update -y sudo reboot系统更新完成后我们需要设置主机名并配置网络。OpenStack对主机名解析有严格要求建议在/etc/hosts文件中添加静态解析记录echo 192.168.1.100 controller | sudo tee -a /etc/hosts echo 192.168.1.101 compute1 | sudo tee -a /etc/hosts提示在生产环境中建议使用DNS服务进行主机名解析但在实验环境中/etc/hosts文件的静态解析更为简便。接下来我们需要禁用NetworkManager服务并使用传统的network服务同时关闭SELinux和防火墙以简化安装过程sudo systemctl stop NetworkManager sudo systemctl disable NetworkManager sudo systemctl enable network sudo systemctl start network sudo setenforce 0 sudo sed -i s/SELINUXenforcing/SELINUXpermissive/g /etc/selinux/config sudo systemctl stop firewalld sudo systemctl disable firewalld2. 安装OpenStack核心组件OpenStack由多个相互协作的服务组件构成每个组件负责不同的功能。在我们的最小化部署中将重点安装以下核心服务Keystone身份认证服务管理用户、角色和权限Glance镜像服务存储和管理虚拟机镜像Nova计算服务管理虚拟机实例的生命周期Neutron网络服务提供虚拟网络功能Horizon基于Web的管理仪表盘首先我们需要安装OpenStack Train版本的仓库和必要的工具sudo yum install -y centos-release-openstack-train sudo yum update -y sudo yum install -y python-openstackclient openstack-selinux2.1 安装和配置MySQL数据库OpenStack各组件需要数据库来存储配置和状态信息。我们将使用MySQL作为后端数据库sudo yum install -y mariadb mariadb-server python2-PyMySQL sudo systemctl enable mariadb sudo systemctl start mariadb运行MySQL安全安装脚本设置root密码并移除测试数据库sudo mysql_secure_installation创建OpenStack使用的数据库和用户mysql -u root -p在MySQL提示符下执行以下命令CREATE DATABASE keystone; CREATE DATABASE glance; CREATE DATABASE nova; CREATE DATABASE nova_api; CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON keystone.* TO keystonelocalhost IDENTIFIED BY KEYSTONE_DBPASS; GRANT ALL PRIVILEGES ON keystone.* TO keystone% IDENTIFIED BY KEYSTONE_DBPASS; GRANT ALL PRIVILEGES ON glance.* TO glancelocalhost IDENTIFIED BY GLANCE_DBPASS; GRANT ALL PRIVILEGES ON glance.* TO glance% IDENTIFIED BY GLANCE_DBPASS; GRANT ALL PRIVILEGES ON nova.* TO novalocalhost IDENTIFIED BY NOVA_DBPASS; GRANT ALL PRIVILEGES ON nova.* TO nova% IDENTIFIED BY NOVA_DBPASS; GRANT ALL PRIVILEGES ON nova_api.* TO novalocalhost IDENTIFIED BY NOVA_DBPASS; GRANT ALL PRIVILEGES ON nova_api.* TO nova% IDENTIFIED BY NOVA_DBPASS; GRANT ALL PRIVILEGES ON neutron.* TO neutronlocalhost IDENTIFIED BY NEUTRON_DBPASS; GRANT ALL PRIVILEGES ON neutron.* TO neutron% IDENTIFIED BY NEUTRON_DBPASS; FLUSH PRIVILEGES; exit2.2 安装和配置消息队列服务OpenStack组件使用消息队列进行内部通信。我们将使用RabbitMQ作为消息代理sudo yum install -y rabbitmq-server sudo systemctl enable rabbitmq-server sudo systemctl start rabbitmq-server配置RabbitMQ添加OpenStack用户并设置权限sudo rabbitmqctl add_user openstack RABBIT_PASS sudo rabbitmqctl set_permissions openstack .* .* .*3. 安装和配置身份认证服务(Keystone)Keystone是OpenStack的身份认证服务负责管理用户、角色和服务目录。安装Keystone前需要生成一个随机令牌用于初始配置openssl rand -hex 10记录下生成的令牌值然后在/etc/keystone/keystone.conf文件中进行配置sudo yum install -y openstack-keystone httpd mod_wsgi编辑/etc/keystone/keystone.conf文件在相应部分添加或修改以下内容[DEFAULT] admin_token YOUR_ADMIN_TOKEN [database] connection mysqlpymysql://keystone:KEYSTONE_DBPASScontroller/keystone [token] provider fernet初始化Keystone数据库并配置Fernet密钥sudo su -s /bin/sh -c keystone-manage db_sync keystone sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone引导身份认证服务sudo keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne配置Apache HTTP服务器以托管Keystone服务echo ServerName controller | sudo tee -a /etc/httpd/conf/httpd.conf sudo systemctl enable httpd sudo systemctl start httpd创建环境变量文件以便后续操作cat EOF ~/admin-openrc export OS_USERNAMEadmin export OS_PASSWORDADMIN_PASS export OS_PROJECT_NAMEadmin export OS_USER_DOMAIN_NAMEDefault export OS_PROJECT_DOMAIN_NAMEDefault export OS_AUTH_URLhttp://controller:5000/v3 export OS_IDENTITY_API_VERSION3 EOF4. 安装和配置镜像服务(Glance)Glance服务负责存储和管理虚拟机镜像。安装Glance前先创建服务凭证和API端点source ~/admin-openrc openstack project create --domain default --description Service Project service openstack user create --domain default --password GLANCE_PASS glance openstack role add --project service --user glance admin openstack service create --name glance --description OpenStack Image image openstack endpoint create --region RegionOne image public http://controller:9292 openstack endpoint create --region RegionOne image internal http://controller:9292 openstack endpoint create --region RegionOne image admin http://controller:9292安装Glance软件包sudo yum install -y openstack-glance编辑/etc/glance/glance-api.conf文件配置数据库连接和身份认证[database] connection mysqlpymysql://glance:GLANCE_DBPASScontroller/glance [keystone_authtoken] www_authenticate_uri http://controller:5000 auth_url http://controller:5000 memcached_servers controller:11211 auth_type password project_domain_name Default user_domain_name Default project_name service username glance password GLANCE_PASS [paste_deploy] flavor keystone [glance_store] stores file,http default_store file filesystem_store_datadir /var/lib/glance/images/初始化Glance数据库sudo su -s /bin/sh -c glance-manage db_sync glance sudo systemctl enable openstack-glance-api sudo systemctl start openstack-glance-api下载一个测试镜像并上传到Glancewget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img openstack image create cirros \ --file cirros-0.4.0-x86_64-disk.img \ --disk-format qcow2 --container-format bare \ --public验证镜像是否成功上传openstack image list5. 安装和配置计算服务(Nova)Nova是OpenStack的计算服务负责管理虚拟机实例的生命周期。配置Nova前先创建服务凭证和API端点source ~/admin-openrc openstack user create --domain default --password NOVA_PASS nova openstack role add --project service --user nova admin openstack service create --name nova --description OpenStack Compute compute openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1 openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1 openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1安装Nova软件包sudo yum install -y openstack-nova-api openstack-nova-conductor \ openstack-nova-console openstack-nova-novncproxy \ openstack-nova-scheduler编辑/etc/nova/nova.conf文件进行以下配置[DEFAULT] enabled_apis osapi_compute,metadata transport_url rabbit://openstack:RABBIT_PASScontroller:5672/ my_ip 192.168.1.100 use_neutron true firewall_driver nova.virt.firewall.NoopFirewallDriver [api] auth_strategy keystone [keystone_authtoken] www_authenticate_uri http://controller:5000/ auth_url http://controller:5000/ memcached_servers controller:11211 auth_type password project_domain_name Default user_domain_name Default project_name service username nova password NOVA_PASS [vnc] enabled true server_listen $my_ip server_proxyclient_address $my_ip [glance] api_servers http://controller:9292 [oslo_concurrency] lock_path /var/lib/nova/tmp [placement] region_name RegionOne project_domain_name Default user_domain_name Default project_name service auth_type password auth_url http://controller:5000/v3 username placement password PLACEMENT_PASS初始化Nova数据库sudo su -s /bin/sh -c nova-manage api_db sync nova sudo su -s /bin/sh -c nova-manage cell_v2 map_cell0 nova sudo su -s /bin/sh -c nova-manage cell_v2 create_cell --namecell1 --verbose nova sudo su -s /bin/sh -c nova-manage db sync nova启动Nova服务sudo systemctl enable openstack-nova-api \ openstack-nova-consoleauth openstack-nova-scheduler \ openstack-nova-conductor openstack-nova-novncproxy sudo systemctl start openstack-nova-api \ openstack-nova-consoleauth openstack-nova-scheduler \ openstack-nova-conductor openstack-nova-novncproxy6. 安装和配置网络服务(Neutron)Neutron提供网络连接即服务(NaaS)功能。我们将使用Linux桥接和Open vSwitch实现基本的网络功能。首先创建服务凭证和API端点source ~/admin-openrc openstack user create --domain default --password NEUTRON_PASS neutron openstack role add --project service --user neutron admin openstack service create --name neutron --description OpenStack Networking network openstack endpoint create --region RegionOne network public http://controller:9696 openstack endpoint create --region RegionOne network internal http://controller:9696 openstack endpoint create --region RegionOne network admin http://controller:9696安装Neutron软件包sudo yum install -y openstack-neutron openstack-neutron-ml2 \ openstack-neutron-linuxbridge ebtables编辑/etc/neutron/neutron.conf文件[DEFAULT] core_plugin ml2 service_plugins router allow_overlapping_ips true transport_url rabbit://openstack:RABBIT_PASScontroller:5672/ auth_strategy keystone notify_nova_on_port_status_changes true notify_nova_on_port_data_changes true [keystone_authtoken] www_authenticate_uri http://controller:5000 auth_url http://controller:5000 memcached_servers controller:11211 auth_type password project_domain_name Default user_domain_name Default project_name service username neutron password NEUTRON_PASS [nova] auth_url http://controller:5000 auth_type password project_domain_name Default user_domain_name Default region_name RegionOne project_name service username nova password NOVA_PASS [oslo_concurrency] lock_path /var/lib/neutron/tmp配置ML2插件编辑/etc/neutron/plugins/ml2/ml2_conf.ini[ml2] type_drivers flat,vlan,vxlan tenant_network_types vxlan mechanism_drivers linuxbridge,l2population extension_drivers port_security [ml2_type_flat] flat_networks provider [ml2_type_vxlan] vni_ranges 1:1000 [securitygroup] enable_ipset true配置Linux桥接代理编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini[linux_bridge] physical_interface_mappings provider:eth0 [vxlan] enable_vxlan true local_ip 192.168.1.100 l2_population true [securitygroup] enable_security_group true firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver配置DHCP代理编辑/etc/neutron/dhcp_agent.ini[DEFAULT] interface_driver linuxbridge dhcp_driver neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata true配置元数据代理编辑/etc/neutron/metadata_agent.ini[DEFAULT] nova_metadata_host controller metadata_proxy_shared_secret METADATA_SECRET初始化Neutron数据库sudo su -s /bin/sh -c neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head neutron重启Nova API服务以支持网络功能sudo systemctl restart openstack-nova-api启动Neutron服务sudo systemctl enable neutron-server \ neutron-linuxbridge-agent neutron-dhcp-agent \ neutron-metadata-agent sudo systemctl start neutron-server \ neutron-linuxbridge-agent neutron-dhcp-agent \ neutron-metadata-agent7. 安装和配置仪表盘服务(Horizon)Horizon是OpenStack的Web管理界面为用户提供了图形化的操作方式。安装Horizon软件包sudo yum install -y openstack-dashboard编辑/etc/openstack-dashboard/local_settings文件进行以下配置OPENSTACK_HOST controller ALLOWED_HOSTS [*, localhost] SESSION_ENGINE django.contrib.sessions.backends.cache CACHES { default: { BACKEND: django.core.cache.backends.memcached.MemcachedCache, LOCATION: controller:11211, } } OPENSTACK_KEYSTONE_URL http://%s:5000/v3 % OPENSTACK_HOST OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT True OPENSTACK_API_VERSIONS { identity: 3, image: 2, volume: 2, } OPENSTACK_KEYSTONE_DEFAULT_DOMAIN Default OPENSTACK_KEYSTONE_DEFAULT_ROLE user OPENSTACK_NEUTRON_NETWORK { enable_router: True, enable_quotas: True, enable_ipv6: True, enable_distributed_router: False, enable_ha_router: False, enable_fip_topology_check: False, } TIME_ZONE Asia/Shanghai配置Apache HTTP服务器以托管Horizonsudo systemctl enable httpd sudo systemctl restart httpd8. 创建第一个虚拟机实例现在我们已经完成了OpenStack核心服务的安装和配置可以创建第一个虚拟机实例了。首先我们需要配置一些网络资源。创建外部网络source ~/admin-openrc openstack network create --share --external \ --provider-physical-network provider \ --provider-network-type flat provider创建外部子网openstack subnet create --network provider \ --allocation-pool start192.168.1.200,end192.168.1.250 \ --dns-nameserver 8.8.8.8 --gateway 192.168.1.1 \ --subnet-range 192.168.1.0/24 provider创建项目网络openstack network create selfservice openstack subnet create --network selfservice \ --dns-nameserver 8.8.8.8 --gateway 172.16.1.1 \ --subnet-range 172.16.1.0/24 selfservice创建路由器并连接网络openstack router create router openstack router add subnet router selfservice openstack router set router --external-gateway provider创建安全组规则允许ICMP和SSH访问openstack security group rule create --proto icmp default openstack security group rule create --proto tcp --dst-port 22 default创建密钥对用于SSH访问ssh-keygen -q -N -f ~/.ssh/id_rsa openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey启动第一个实例openstack server create --flavor m1.tiny --image cirros \ --nic net-id$(openstack network show selfservice -f value -c id) \ --security-group default --key-name mykey instance1检查实例状态openstack server list当实例状态变为ACTIVE时可以获取其IP地址并尝试连接openstack server show instance1 -c addresses -f value通过Horizon仪表盘访问实例控制台验证安装是否成功。在浏览器中访问http://controller/dashboard使用admin用户和之前设置的密码登录。

更多文章