Openstack Installation (ver. liberty)

1

OpenStack

Learning Objectives This chapter examine OpenStack architecture and how to

install OpenStack. By the time you finish this chapter, you will be able to do the following : Describe OpenStack architecture Understand OpenStack components How to install OpenStack Liberty

2

Outline 虛擬化技術介紹 Introduction to OpenStack Components of OpenStack OpenStack install

3

虛擬化技術現今雲端運算上的虛擬化技術，主要是將原本運作在實際伺服器上的伺服器作業系統，變成在虛擬化的軟體上執行，因此在硬體故障時，這些伺服器系統便可以很容易地移轉到另外一台已設置好虛擬化軟體的硬體上，系統不需要重新安裝與設定，新硬體與舊硬體也不必是相同規格，可以大幅簡化伺服器的管理。開放原始碼上主流的虛擬化技術大致上分兩種 :

硬體虛擬化（ Hardware Virtualization ）作業系統層級的虛擬化技術（ Operating System-level Virtualization ）

4

參考資料 : http://www.netadmin.com.tw/article_content.aspx?sn=1412020002

硬體虛擬化技術硬體虛擬化的架構是用軟體建立一個模擬真實電腦硬體的虛擬機器（ Virtual Machine ），而原本執行在實際電腦硬體的作業系統，則運作執行在這個虛擬機器上，虛擬機器內運行的作業系統與實際的電腦硬體之間，會有軟體介面隔離控制這些虛擬機器對硬體的存取。進行硬體虛擬化的系統軟體則被稱作 Hypervisor 或虛擬機器管理員（ Virtual Machine Manager ）， Hypervisor 因為主要是在控制虛擬機器的運作，又被稱為虛擬機器監視器（ Virtual Machine Monitor ），縮寫為 VMM 。 OpenSource:KVM 、 Xen

5


虛擬化實現方式

6

目前主流的虛擬化實現方式有兩種 : Type1:VMM 直接運行在硬體上控制所有硬體並管理使用者操作系統系統，例如 :Xen 、 VMware ESXi 。 Type2:VMM 運行在一個傳統的作業系統裡，例如 :KVM 、

VirtualBox 。

作業系統層級的虛擬化技術作業系統層級虛擬化技術的架構，則是藉由讓作業系統核心可以建立多個隔離的使用者空間運作實體技術來達成，使用者在這些隔離的使用者空間中運作，感覺就像在實際獨立的環境內運作一樣，而這些隔離的使用者空間運作實體又被稱為容器（ Containers ）、虛擬化引擎（ Virtualization Engines ， VE ）、虛擬私有伺服器（ Virtual Private Servers ， VPS ）或叫囚室（ jails ）。作業系統核心同時也提供管理這些運作實體使用資源的機制，避免單一運作實體使用系統資源過度，而影響到其他運作實體。 OpenSource:Docker 、 OpenVZ

7


Linux Container 透過 Container 技術可以讓 DevOps 更容易，省去了不少時間與資源成本。 Linux Container 技術是一個內建於 Linux 的新一代虛擬化技術，不同於虛擬機器是一整臺實體電腦的虛擬化， LXC則是應用程式的虛擬化。 LXC 將應用系統打包成一個

Container ，裡面只包含了應用程式的程式碼、所需作業系統核心和函式庫，透過統一的命名空間和共用 API 來分配不同應用程式所在 Container 的可用硬體資源，來創造出應用程式的獨立沙箱執行環境。因為 LXC 技術不需要多一個 Hypervisor 軟體層，因此， Container 容量小且輕量化，可以在數秒內建立應用程式所需的執行環境，遠快於利用傳統虛擬化技術需要數分鐘才能建立虛擬機器的時間。8

參考資料 : http://www.ithome.com.tw/news/90440

Docker 原本 Docker 是以 Linux 容器（ Linux Container ， LXC ）技術為基礎， LXC 是一個使用者空間工具（ User-space

Tools ），提供一個系統介面以銜接核心空間（ Kernel-space ）所提供的作業系統層級虛擬化功能，如控制群組（ Control Groups ， cgroups ）或核心命名空間（ Kernel Namespaces ）。不過， Docker 在 0.9 版開始便自行以Google 發展的 Go 程式語言開發 libcontainer 程式庫以取代 LXC 。

Docker 因為提供了簡易好用的工具及環境，因此成為新崛起且非常熱門的 Linux 作業系統層級虛擬化技術， OpenStack 計畫開始將 Docker 整合進入其雲端平台中。9

參考資料 : http://www.ithome.com.tw/news/90440

雲端界中的 Linux-OpenStack OpenStack允許讓使用者快速部屬雲端的基礎設施環境

(IaaS)叢集，不同於 Hadoop 這類針對特定功能取向的PaaS ， OpenStack 提供的是完整的底層資源與環境部屬，能夠提供商業 IaaS 的大老： Amazon Elastic Compute Cloud(Amazon EC2) 的功能。

10

Amazon EC2 Amazon Elastic Compute Cloud(Amazon EC2) ，由亞馬遜公司提供的 web 服務，是一個讓使用者可以租用雲端電腦運行所需應用的系統。 EC2 藉由提供 web 服務的方式讓使用者可以彈性地運行自己的 Amazon 機器映像檔，使用者將可以在這個虛擬機器上運行任何自己想要的軟體或應用程式。使用者可以隨時創建、執行、終止自己的虛擬伺服器，使用多少時間算多少錢，也因此這個系統是 "彈性 " 使用的。

11參考資料 : https://www.openfoundry.org/tw/resourcecatalog/Cloud-Computing/Infrastructure-Layer/Computing/Amazon-EC2

OpenStack 簡介 OpenStack 專案已經有五年的時間了，從 2010 年 7 月開始開發，原先是由 NASA 主導的專案 Nebula 。後來

NASA 與雲端服務廠商 Rackspace 合作，演變成現在熟知的雲端運算平臺 OpenStack 。

由於 OpenStack 採用開放原始碼授權， Apache 授權協議，相較 GPL 類授權比較寬鬆，因此不少企業選擇 OpenStack 節省成本。 OpenStack 也讓擴大服務能量成為可能，很容易就橫向擴展 (Horizontal Scaling) 規模。

12

OpenStack ReleasesRelease Name Release Date Included Components

Austin 21 October 2010 Nova, Swift

Bexar 3 February 2011 Nova, Glance, Swift

Cactus 15 April 2011 Nova, Glance, Swift

Diablo 22 September 2011 Nova, Glance, Swift

Essex 5 April 2012 Nova, Glance, Swift, Horizon, Keystone

Folsom 27 September 2012 Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder

Grizzly 4 April 2013 Nova, Glance, Swift, Horizon, Keystone, Quantum, Cinder

Havana 17 October 2013 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Ceilometer, Heat

Icehouse 17 April 2014 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Ceilometer, Heat, Trove

Juno October 2014 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Ceilometer, Heat, Trove, Sahara

Kilo April 2015 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Ceilometer, Heat, Trove, Sahara, Ironic

*Liberty 16 October 2015 Nova, Glance, Swift, Horizon, Keystone, Neutron, Cinder, Heat, Ceilometer, Trove, Sahara, Ironic, Zaqar, Manila, Designate, Barbican

13

* 為現在 Releases最新版本

OpenStack產業界應用 ( 一 )

CERN 使用了 5千臺運算節點來執行 OpenStack 環境， 4,800 臺執行 KVM ，而 200 臺則執行 Hyper-V 虛擬化平臺，共有 16萬個核心，來執行 13萬個 VM 。目前有 2千位研究人員使用，建立了超過 2,300 個專案。14

OpenStack產業界應用 (二 ) 日本發生地震後，在數十秒內，日本雅虎資料中心的網路流量瞬間暴增為平時尖峰的 3倍，如何事先打造出一套可以應付這種瞬間爆量的基礎架構，是日本雅虎資料中心面臨的一大挑戰。由於 OpenStack 軟體上的效能改進，單櫃伺服器所能執行的虛擬機器，也從 400 個提高到單櫃 2,000 個。日本雅虎目前部署了超過 20 個 OpenStack叢集，總儲存容量達 20PB(10 的 15次方 byte) ，可用性能達到

99.996％。

15參考資料 : http://www.ithome.com.tw/news/98304

OpenStack users PayPal / eBay NASA Yahoo! HP Public Cloud Wikimedia Labs Cisco WebEx more…(http://www.openstack.org/user-stories)

16

OpenStack Overview What is OpenStack? Open Source Cloud Software

mostly deployed as an infrastructure-as-a-service (IaaS) Combines compute, network and storage resources

Web portal for cloud admins and self-service users Cloud services exposed through APIs

17

Components of OpenStack-Nova

18

Nova – Compute:It provides virtual servers upon demand. Nova is the most complicated and distributed component of OpenStack. A large number of processes cooperate to turn end user API requests into running virtual machines.

Components of OpenStack-Glance

19

Glance – Image Store:It provides discovery, registration and delivery services for disk and server images. Glance accepts API requests for images (or image metadata) from end users or Nova components and can store its disk files in the object storage service, Swift or other storage repository.

Components of OpenStack-Neutron

20

Neutron – Network:It provides “ network connectivity as a service ” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). The service works by allowing users to create their own networks and then attach interfaces to them. Neutron will interact mainly with Nova, where it will provide networks and connectivity for its instances.

Components of OpenStack-Swift

21

Swift – Object Storage:Object store allows you to store or retrieve files. It provides a fully distributed, API-accessible storage platform that can be integrated directly into applications or used for backup, archiving and data retention.

Components of OpenStack-Cinder

22

Cinder – Block Storage:Cinder is more analogous to the traditional notion of a computer being able to access specific locations on a disk drive. This more traditional way of accessing files might be important in scenarios in which data access speed is the most important consideration.

Components of OpenStack-Keystone

23

Keystone – Identity:Keystone is a framework for authentication and authorization for all the OpenStack services. It handles API requests as well as providing configurable catalog, policy, token and identity services. It provides the ability to add users to and to manage permissions between users and groups. Permissions include the ability to launch and terminate instances.

Components of OpenStack-Horizon

24

Horizon – Dashboard:It provides a modular web-based user interface for all the OpenStack services. With this web GUI, you can perform most operations on your cloud like launching an instance, assigning IP addresses and setting access controls.

Components of OpenStack-Ceilometer

25

Ceilometer – Telemetry:Ceilometer was originally designed to support billing systems for OpenStack cloud resources. This project only covers the metering portion of the required processing for billing. This service collects information about the system and stores it in the form of samples in order to provide data about anything that can be billed.

Components of OpenStack-Heat

26

Heat – Orchestration:Heat stacks are defined with templates, which are non-procedural documents that describe tasks in terms of resources, parameters, inputs, constraints, and dependencies. When the Orchestration service was originally introduced, it worked with AWS CloudFormation templates, which are in the JSON format.

Sahara - Data Processing Trove - Database as a Service Ironic - Bare Metal Zaqar - Message service Barbican - Key management Designate DNS - DNS Manila - Shared Filesystems Magnum - Containers service Murano - Application catalog

27

Components of OpenStack-Others

OpenStack Liberty Install Environment deployment Identity service install Image service install Compute service install Networking service install Dashboard install(optional)

28

安裝時，請參考 OpenStack官方網站的文件 :http://docs.openstack.org/liberty/install-guide-ubuntu/

OpenStack Liberty官方 demo 影片 :https://www.youtube.com/watch?v=e7r2-p8Mki4

Environment deployment Environment deployment Identity service install Image service install Compute service install Networking service install Dashboard install(optional)

29

安裝時，請參考 OpenStack官方網站的文件 :http://docs.openstack.org/liberty/install-guide-ubuntu/environment.html

Environment- 虛擬機軟體選擇

30

下載網址 :https://www.vmware.com/tw/products/workstation/workstation-evaluation.html

Environment- 硬體需求

31

Environment-Networking

32

Environment- 新增虛擬機

33

Environment- 新增虛擬機 (Cont.)

34

本範例映像檔使用 Ubuntu desktop 64位元 14.04 版本Environment- 新增虛擬機 (Cont.)

35

第二個虛擬機 full name 和 user name 設為 compute


36


37


38


39

Environment-Networking(Cont.)為了能夠讓兩台 VM都能有兩個 NIC ，先將兩個 VM關閉，並各別新增一個 VM 的 Network Adapter( 兩台 VM都必須新增 ) ，新增的 NIC網路連線選擇 LAN segement 。

40

另外要將兩台 VM 的硬體資源做調整Controller node memory調成 4G 以上 ,Compute node memory調成 2G 以上Controller/Compute node processors 2顆以上然後再按 Add…

Environment-Networking(Cont.)

41


42


43

新增兩個 LAN segemants for controller node and compute node


44

Controller node 與 Compute node 分別各選一個 LAN segement


45


46

確認第二張未被分配 IP 的網卡已經加入 VM:# ifconfig


Controller node# vim /etc/network/interfaces

# vim /etc/hosts# vim /etc/hostname ubuntu 改成 controller→ reboot your VM

47


Compute node# vim /etc/network/interfaces

# vim /etc/hosts# vim /etc/hostname ubuntu 改成 compute→ reboot your VM

48

Verify connectivity

Controller node# ping compute

Compute node# ping controller

49

Environment-OpenStack package

All nodes# apt-get install software-properties-common# add-apt-repository cloud-archive:liberty# apt-get update && apt-get dist-upgrade# apt-get install python-openstackclient

50

Environment-SQL database

Controller node# apt-get install mariadb-server python-pymysql→ 設定 SQL password# vim /etc/mysql/conf.d/mysqld_openstack.cnf

# service mysql restart

51

Bind-address 設定controller node 的 IP address

Environment-Message queue

Controller node# apt-get install rabbitmq-server# rabbitmqctl add_user openstack RABBIT_PASSReplace RABBIT_PASS with a suitable password.# rabbitmqctl set_permissions openstack ".*" ".*" ".*"

52

Identity service Environment deployment Identity service install Image service install Compute service install Networking service install dashboard install(optional)

53

安裝時，請參考 OpenStack官方網站的文件 :http://docs.openstack.org/liberty/install-guide-ubuntu/keystone.html

Identity service(Cont.)

54

Controller node# mysql –u root -p> CREATE DATABASE keystone;> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS';Replace KEYSTONE_DBPASS with a suitable password.> exit


55

# openssl rand -hex 10→ 記下這個 random value# echo "manual" > /etc/init/keystone.override# apt-get install keystone apache2 libapache2-mod-wsgi \ memcached python-memcache# vim /etc/keystone/keystone.conf

Replace ADMIN_TOKEN with the random value that you generated in a previous step.

[DEFAULT]...admin_token = ADMIN_TOKENverbose = True


56

Replace KEYSTONE_DBPASS with the password you chose for the database.

# su -s /bin/sh -c "keystone-manage db_sync" keystone

[database]...connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

[memcache]...servers = localhost:11211

[token]...provider = uuiddriver = memcache

[revoke]...driver = sql

Identity service(Cont.) # vim /etc/apache2/apache2.conf

# vim /etc/apache2/sites-available/wsgi-keystone.conf

57

...ServerName controller...

Listen 5000Listen 35357

<VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined


58

<Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory></VirtualHost>

<VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion>


# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled# service apache2 restart# rm -f /var/lib/keystone/keystone.db

59

ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined

<Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory></VirtualHost>

Identity service(Cont.) # export OS_TOKEN=ADMIN_TOKENReplace ADMIN_TOKEN with the random value that you generated from page 56# export OS_URL=http://controller:35357/v3# export OS_IDENTITY_API_VERSION=3# openstack service create --name keystone --description "OpenStack Identity" identity

60

Identity service(Cont.) # openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0

# openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0# openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0

61

三個 endpoint說明請參考 :http://docs.openstack.org/liberty/install-guide-ubuntu/keystone-services.html

Identity service(Cont.) # openstack project create --domain default --description "Admin Project" admin

# openstack user create --domain default --password-prompt admin

62

Identity service(Cont.) # openstack role create admin

# openstack role add --project admin --user admin admin# openstack project create --domain default --description "Service Project" service

63

Identity service(Cont.) # openstack project create --domain default --description "Demo Project" demo

# openstack user create --domain default --password-prompt demo

64

Identity service(Cont.) # openstack role create user

# openstack role add --project demo --user demo user

65

Identity service-Verify operation

66

# vim /etc/keystone/keystone-paste.ini

remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.

Identity service-Verify operation(Cont.)# unset OS_TOKEN OS_URL# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue

# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password token issue

67

→ 建立兩個檔案 admin-openrc.sh( 上 ), demo-openrc.sh(下 )

Replace ADMIN_PASS/DEMO_PASS with the password you chose for the demo user in the Identity service.

Create client environment scripts

68

export OS_PROJECT_DOMAIN_ID=defaultexport OS_USER_DOMAIN_ID=defaultexport OS_PROJECT_NAME=adminexport OS_TENANT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=ADMIN_PASSexport OS_AUTH_URL=http://controller:35357/v3export OS_IDENTITY_API_VERSION=3

export OS_PROJECT_DOMAIN_ID=defaultexport OS_USER_DOMAIN_ID=defaultexport OS_PROJECT_NAME=demoexport OS_TENANT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=DEMO_PASSexport OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3

Using the scripts# source admin-openrc.sh# openstack token issue

69

OpenStack Liberty Install Environment deployment Identity service install Image service install Compute service install Networking service install dashboard install(optional)

70

安裝時，請參考 OpenStack官方網站的文件 :http://docs.openstack.org/liberty/install-guide-ubuntu/glance.html

Image service

71

Controller node# mysql -u root -p> CREATE DATABASE glance;> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'GLANCE_DBPASS';GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \ IDENTIFIED BY 'GLANCE_DBPASS';Replace GLANCE_DBPASS with a suitable password.> exit

Image service(Cont.)

72

# source admin-openrc.sh# openstack user create --domain default --password-prompt glance

# openstack role add --project service --user glance admin# openstack service create --name glance --description "OpenStack Image service" image

Image service (Cont.) # openstack endpoint create --region RegionOne image public http://controller:9292

# openstack endpoint create --region RegionOne image internal http://controller:9292# openstack endpoint create --region RegionOne image admin http://controller:9292

73


74

# apt-get install glance python-glanceclient# vim /etc/glance/glance-api.conf

Replace GLANCE_DBPASS with the password you chose for the Image service database & Replace GLANCE_PASS with the password you chose for the glance user in the Identity service.

[database]...connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance

[keystone_authtoken] # 註解掉 [keystone_authtoken] section 中其他設定...auth_uri = http://controller:5000auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = glancepassword = GLANCE_PASS


75

[paste_deploy]...flavor = keystone

[glance_store]...default_store = filefilesystem_store_datadir = /var/lib/glance/images/

[DEFAULT]...notification_driver = noopverbose = True


76

# vim /etc/glance/glance-registry.conf

Replace GLANCE_DBPASS with the password you chose for the Image service database & Replace GLANCE_PASS with the password you chose for the glance user in the Identity service.

[database]...connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance

[keystone_authtoken] # 註解掉 [keystone_authtoken] section 中其他設定...auth_uri = http://controller:5000auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = glancepassword = GLANCE_PASS

# su -s /bin/sh -c "glance-manage db_sync" glance# service glance-registry restart# service glance-api restart# rm -f /var/lib/glance/glance.sqlite


77

[paste_deploy]...flavor = keystone

[DEFAULT]...notification_driver = noopverbose = True

Image service-Verify operation# echo "export OS_IMAGE_API_VERSION=2" | tee -a admin-openrc.sh demo-openrc.sh

# source admin-openrc.sh# wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img# glance image-create --name "cirros" \ --file cirros-0.3.4-x86_64-disk.img \ --disk-format qcow2 --container-format bare \ --visibility public --progress# glance image-list

78

http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img



Image service-Verify operation(Cont.)

79


80


Compute service

81

Controller node# mysql -u root -p> CREATE DATABASE nova;> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \ IDENTIFIED BY 'NOVA_DBPASS';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ IDENTIFIED BY 'NOVA_DBPASS';Replace NOVA_DBPASS with a suitable password.> exit

Compute service(Cont.)

82

# source admin-openrc.sh# openstack user create --domain default --password-prompt nova# openstack role add --project service --user nova admin# openstack service create --name nova --description "OpenStack Compute" compute# openstack endpoint create --region RegionOne compute public http://controller:8774/v2/%$tenant_id$s# openstack endpoint create --region RegionOne compute internal http://controller:8774/v2/%$tenant_id$s# openstack endpoint create --region RegionOne compute admin http://controller:8774/v2/%$tenant_id$s


83

# apt-get install nova-api nova-cert nova-conductor nova-consoleauth nova-novncproxy nova-scheduler python-novaclient# vim /etc/nova/nova.conf

CONTROLLER_IP_ADDRESS 在本投影片範例應設為192.168.174.143 參考投影片 p.33 網路環境

[DEFAULT]...rpc_backend = rabbitauth_strategy = keystonemy_ip = CONTROLLER_IP_ADDRESSnetwork_api_class = nova.network.neutronv2.api.APIsecurity_group_api = neutronlinuxnet_interface_driver = nova.network.linux_net.NeutronLinuxBridgeInterfaceDriverfirewall_driver = nova.virt.firewall.NoopFirewallDriverenabled_apis=osapi_compute,metadataverbose = True


84

Replace NOVA_DBPASS with the password you chose for the Compute database.

Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

[database]...connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova

[oslo_messaging_rabbit]...rabbit_host = controllerrabbit_userid = openstackrabbit_password = RABBIT_PASS


85

Replace NOVA_PASS with the password you chose for the nova user in the Identity service.

[keystone_authtoken] # 註解掉 [keystone_authtoken] section 中其他設定...auth_uri = http://controller:5000auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = novapassword = NOVA_PASS

[vnc]...vncserver_listen = $my_ipvncserver_proxyclient_address = $my_ip


86

# su -s /bin/sh -c "nova-manage db sync" nova# service nova-api restart# service nova-cert restart# service nova-consoleauth restart# service nova-scheduler restart# service nova-conductor restart# service nova-novncproxy restart# rm -f /var/lib/nova/nova.sqlite

[glance]...host = controller

[oslo_concurrency]...lock_path = /var/lib/nova/tmp


87

Compute node# apt-get install nova-compute sysfsutils# vim /etc/nova/nova.conf

COMPUTE_IP_ADDRESS 在本投影片範例應設為 192.168.174.144 ( 參考投影片 p.33 網路環境 )

[DEFAULT]...rpc_backend = rabbitauth_strategy = keystonemy_ip = COMPUTE_IP_ADDRESSnetwork_api_class = nova.network.neutronv2.api.APIsecurity_group_api = neutronlinuxnet_interface_driver = nova.network.linux_net.NeutronLinuxBridgeInterfaceDriverfirewall_driver = nova.virt.firewall.NoopFirewallDriververbose = True


88




[keystone_authtoken] # 註解掉 [keystone_authtoken] section 中其他設定...auth_uri = http://controller:5000auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = novapassword = NOVA_PASS


89

[vnc]...enabled = Truevncserver_listen = 0.0.0.0vncserver_proxyclient_address = $my_ipnovncproxy_base_url = http://controller:6080/vnc_auto.html

[glance]...host = controller

[oslo_concurrency]...lock_path = /var/lib/nova/tmp

Compute service(Cont.)# egrep -c '(vmx|svm)' /proc/cpuinfo→若輸出數值大於等於 1 則不需做額外設定 ,若數值等於0:# vim /etc/nova/nova-compute.conf

kvm 改為 qemu# service nova-compute restart# rm -f /var/lib/nova/nova.sqlite

90

[DEFAULT]compute_driver=libvirt.LibvirtDriver[libvirt]virt_type=kvm

Compute service-Verify operationController node# source admin-openrc.sh# nova service-list

# nova endpoints

91

Compute service-Verify operation(Cont.)

92

Ignore any warnings in this output.# nova image-list


93

安裝時，請參考 OpenStack官方網站的文件 :http://docs.openstack.org/liberty/install-guide-ubuntu/OpenStack網路介紹http://docs.openstack.org/liberty/networking-guide/intro-networking.html

Networking service

94

Controller node# mysql -u root -p> CREATE DATABASE neutron;> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';Replace NEUTRON_DBPASS with a suitable password.> exit

Networking service(Cont.)

95

# source admin-openrc.sh# openstack user create --domain default --password-prompt neutron

# openstack role add --project service --user neutron admin# openstack service create --name neutron --description "OpenStack Networking" network

Networking service(Cont.)# openstack endpoint create --region RegionOne network public http://controller:9696

# openstack endpoint create --region RegionOne network internal http://controller:9696# openstack endpoint create --region RegionOne network admin http://controller:9696

96

Networking service(Cont.)Configure networking options1. Provider networks: deploys the simplest possible

architecture that only supports attaching instances to public (provider) networks. No self-service networks, routers, or floating IP addresses. Only the admin or other privileged user can manage provider networks.

2. Self-service networks: augments option 1 with layer-3 services that support attaching instances to self-service (private) networks. The demo or other unprivileged user can manage self-service networks including routers that provide connectivity between self-service and provider networks. Additionally, floating IP addresses provide connectivity to instances using self-service networks from external networks such as the Internet.

97


98

Controller node# apt-get install neutron-server neutron-plugin-ml2 neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent neutron-metadata-agent python-neutronclient conntrack# vim /etc/neutron/neutron.conf[DEFAULT]...core_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerpc_backend = rabbitauth_strategy = keystonenotify_nova_on_port_status_changes = Truenotify_nova_on_port_data_changes = Truenova_url = http://controller:8774/v2verbose = True


99

Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service.

[keystone_authtoken] # 註解掉 [keystone_authtoken] section 中其他設定...auth_uri = http://controller:5000auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = neutronpassword = NEUTRON_PASS


100

Replace NEUTRON_DBPASS with the password you chose for the database.


[database]...connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron

[nova]...auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultregion_name = RegionOneproject_name = serviceusername = novapassword = NOVA_PASS


101




102

# vim /etc/neutron/plugins/ml2/ml2_conf.ini[ml2]...type_drivers = flat,vlan,vxlantenant_network_types = vxlanmechanism_drivers = linuxbridge,l2populationextension_drivers = port_security

[ml2_type_flat]...flat_networks = public

[securitygroup]...enable_ipset = True

[ml2_type_vxlan]...vni_ranges = 1:1000


103

# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

Replace PUBLIC_INTERFACE_NAME with the name of the underlying physical public network interface.PUBLIC_INTERFACE_NAME 在本投影片範例應設為 eth0 ( 參考投影片 p.33 網路環境 )

Replace PUBLIC_INTERFACE_IP_ADDRESS with the name of the underlying physical public network interface.PUBLIC_INTERFACE_IP_ADDRESS 在本投影片範例應設為 192.168.174.143 ( 參考投影片 p.33 網路環境 )

[linux_bridge]...physical_interface_mappings = public:PUBLIC_INTERFACE_NAME

[vxlan]enable_vxlan = Truelocal_ip = OVERLAY_INTERFACE_IP_ADDRESSl2_population = True


104

[agent]...prevent_arp_spoofing = True

[securitygroup]...enable_security_group = Truefirewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver


105

# vim /etc/neutron/l3_agent.ini

# vim /etc/neutron/dhcp_agent.ini

# vim /etc/neutron/dnsmasq-neutron.conf

[DEFAULT]...verbose = Trueinterface_driver = neutron.agent.linux.interface.BridgeInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasqenable_isolated_metadata = Truednsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf

[DEFAULT]...interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriverexternal_network_bridge =verbose = True

dhcp-option-force=26,1450


106

# vim /etc/neutron/metadata_agent.ini

Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service & Replace METADATA_SECRET with a suitable secret for the metadata proxy.

[DEFAULT]...auth_uri = http://controller:5000auth_url = http://controller:35357auth_region = RegionOneauth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = neutronpassword = NEUTRON_PASSnova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRETverbose = True


107

# vim /etc/nova/nova.conf

Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service & Replace METADATA_SECRET with the secret you chose for the metadata proxy.

[neutron]...url = http://controller:9696auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultregion_name = RegionOneproject_name = serviceusername = neutronpassword = NEUTRON_PASS

service_metadata_proxy = Truemetadata_proxy_shared_secret = METADATA_SECRET


108

# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron# service nova-api restart# service neutron-server restart# service neutron-plugin-linuxbridge-agent restart# service neutron-dhcp-agent restart# service neutron-metadata-agent restart# service neutron-l3-agent restart# rm -f /var/lib/neutron/neutron.sqlite

Networking service

109

Compute node# apt-get install neutron-plugin-linuxbridge-agent conntrack# vim /etc/neutron/neutron.confIn the [database] section, comment out any connection options because compute nodes do not directly access the database.

[DEFAULT]...rpc_backend = rabbitauth_strategy = keystoneverbose = True


110

Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ & Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service.


[keystone_authtoken] # 註解掉 [keystone_authtoken] section 中其他設定...auth_uri = http://controller:5000auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultproject_name = serviceusername = neutronpassword = NEUTRON_PASS


111

# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

Replace PUBLIC_INTERFACE_NAME with the name of the underlying physical public network interface.PUBLIC_INTERFACE_NAME 在本投影片範例應設為 eth0 ( 參考投影片 p.33 網路環境 )

Replace OVERLAY_INTERFACE_IP_ADDRESS with the name of the underlying physical public network interface.PUBLIC_INTERFACE_IP_ADDRESS 在本投影片範例應設為 192.168.174.144 ( 參考投影片 p.33 網路環境 )

[linux_bridge]...physical_interface_mappings = public:PUBLIC_INTERFACE_NAME

[vxlan]enable_vxlan = Truelocal_ip = OVERLAY_INTERFACE_IP_ADDRESSl2_population = True


112

[agent]...prevent_arp_spoofing = True

[securitygroup]...enable_security_group = Truefirewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver


113

# vim /etc/nova/nova.conf

Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service.# service nova-compute restart# service neutron-plugin-linuxbridge-agent restart

[neutron]...url = http://controller:9696auth_url = http://controller:35357auth_plugin = passwordproject_domain_id = defaultuser_domain_id = defaultregion_name = RegionOneproject_name = serviceusername = neutronpassword = NEUTRON_PASS

Networking service-Verify operation

114

Controller Node# source admin-openrc.sh# neutron ext-list

# neutron agent-list

Finally!!-Let’s launch an instance

115

Controller nodeAfter you launch an instance, you have to generate a key pair, add security group rules and create virtual networks first.

Generate a key pair# source admin-openrc.sh# ssh-keygen -q -N ""# nova keypair-add --pub-key ~/.ssh/id_rsa.pub mykey# nova keypair-list

Launch an instance(Cont.)

116

Add security group rules # nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0


117

Create virtual networks This section creates the necessary virtual networks to support launching one more instances. Networking option 1 includes one public virtual network and one instance that uses it. Networking option 2 includes one public virtual network, one private virtual network, and one instance that uses each network. The instructions in this section use command-line interface (CLI) tools on the controller node.

Create virtual networks for the networking option that you chose at Page.98. If you chose option 1(Provider networks), create only the public virtual network. If you chose option 2(Self-service networks), create the public and private virtual networks.


118

Create the public network# source admin-openrc.sh# neutron net-create public --shared --provider:physical_network public --provider:network_type flat


119

Create the public network(Cont.)# neutron subnet-create public 192.168.174.0/24 --name public --allocation-pool start=192.168.174.50,end=192.168.174.100 --dns-nameserver 8.8.4.4 --gateway 192.168.174.2

請參考自己的虛擬機器軟體 NAT的設定建立subnet


120

本實驗投影片 Vmware Workstation NAT 的設定Vmware Workstation NAT Settings:Edit → Virtual Network Editer → Vmnet8(NAT) → NAT settings


121

Create the private project network# source admin-openrc.sh# neutron net-create private


122

Create the private project network(Cont.)# neutron subnet-create private 172.16.1.0/24 --name private --dns-nameserver 8.8.4.4 --gateway 172.16.1.1


123

Create a router# source admin-openrc.sh# neutron net-update public --router:external# neutron router-create router

# neutron router-interface-add router private# neutron router-gateway-set router public


124

Verify operation# source admin-openrc.sh# ip netns

# neutron router-port-list router


125

Launch a public network instance# nova boot --flavor m1.tiny --image cirros --nic net-id=PUBLIC_NET_ID --security-group default --key-name mykey public-instanceReplace PUBLIC_NET_ID with the ID of the public provider network.( 若不知道 public netwrok 的 ID 可以下此command 查看 :# neutron net-list)


126

Launch a public network instance(Cont.)# nova list

Access the instance using the virtual console# nova get-vnc-console public-instance novnc

複製此段網址貼到瀏覽器即可以 novnc 存取此 instance 的 console


127

Launch a public network instance(Cont.)


128

Launch a public network instance(Cont.)


129

Launch a private network instance# nova boot --flavor m1.tiny --image cirros --nic net-id=PRIVATE_NET_ID --security-group default --key-name mykey private-instanceReplace PRIVATE_NET_ID with the ID of the public provider network.( 若不知道 private netwrok 的 ID 可以下此command 查看 :# neutron net-list)


130

Launch a private network instance(Cont.)# nova list

Access the instance using the virtual console# nova get-vnc-console private-instance novnc

複製此段網址貼到瀏覽器即可以 novnc 存取此 instance 的 console


131

Launch a private network instance(Cont.)


132

Launch a private network instance(Cont.)


133


Dashboard(optional)

134

Controller node# apt-get install openstack-dashboard# vim /etc/openstack-dashboard/local_settings.py

Comment out any other session storage configuration.

OPENSTACK_HOST = "controller"

ALLOWED_HOSTS = ['*', ]

CACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': '127.0.0.1:11211', }}

Dashboard (Cont.)

135

OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

OPENSTACK_API_VERSIONS = { "identity": 3, "volume": 2,}

OPENSTACK_NEUTRON_NETWORK = { ... 'enable_router': False, 'enable_quotas': False, 'enable_distributed_router': False, 'enable_ha_router': False, 'enable_lb': False, 'enable_firewall': False, 'enable_vpn': False, 'enable_fip_topology_check': False,}

If you chose networking option 1, disable support for layer-3 networking services:

若你安裝的是第二裝網路模式則不用更變上面這段程式碼

Dashboard (Cont.)

136

Replace TIME_ZONE with UTC.# service apache2 reloadAccess the dashboard using a web browser at http://controller<or type IP address>/horizon.Authenticate using admin user and default domain credentials.Domain:defaultUser Name:admin or demoPassword:Your admin passwordor demo password

TIME_ZONE = "TIME_ZONE"

Dashboard Demo(Instance)

137

Dashboard Demo(Image)

138

Dashboard Demo(Network)

139

Resources OpenStack Documentationhttp://docs.openstack.org/ OpenStack facebook Taiwanhttps://www.facebook.com/groups/openstack.tw/?fref=ts Ask.OpenStackhttps://ask.openstack.org/en/questions/

140

References OpenStack Documentation http://docs.openstack.org/ OpenStack GitBook https://kairen.gitbooks.io/openstack/content/

141

Any Question?

Technology

Openstack Installation (ver. liberty)