OpenStack newton部署一、环境共需要2台主机192.168.100.181 controller为控制节点和计算节点192.168.100.182 compute1为计算节点安装centos7.2关闭防火墙（控制节点和计算节点都做）关闭selinux/etc/sysconfig/selinuxSELINUX=disabledsetenforce 0关闭iptablessystemctl start firewalld.servicesystemctl stop firewalld.servicesystemctl disable firewalld.service下面的表格给出了需要密码的服务列表以及它们的关系：1.控制节点服务器控制节点共配置2块网卡eth1：192.168.100.181eth2：不设置ip为trunk模式添加/etc/hosts设置NTP服务# yum install chrony编辑/etc/chrony.confallow192.168.100.0/24允许192.168.100.0网段访问启动NTP服务# systemctl enable chronyd.service# systemctl start chronyd.service# timedatectl set-timezone Asia/Shanghai 设置时区# timedatectl status 查看时区安装openstack源及软件包yum install centos-release-openstack-newtonyum upgradeyum install python-openstackclientyum install openstack-selinuxyum install mariadbmariadb-server python2-PyMySQLyum install rabbitmq-serveryum install memcached python-memcachedyum install openstack-keystone httpdmod_wsgiyum install openstack-glanceyum install openstack-nova-apiopenstack-nova-conductor openstack-nova-console openstack-nova-novncproxyopenstack-nova-scheduleryum install openstack-nova-computeyum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridgeebtablesipsetyum install openstack-dashboard开启nova用户的登录权限.usermod -s /bin/bash nova生成秘钥(各个计算节点执行) 控制节点也需要互信su– nova/usr/bin/ssh-keygen -t rsa/usr/bin/ssh-keygen -t dsa所有计算节点均配置cat<< EOF > ~/.ssh/configHost *StrictHostKeyChecking noUserKnownHostsFile=/dev/nullEOF分发ssh到各个计算节点computer1scp id_dsa.pub 192.168.100.181:/var/lib/nova/.ssh/id_dsa.pub3scp id_rsa.pub 192.168.100.181:/var/lib/nova/.ssh/id_rsa.pub3controller（192.168.100.181）：cat id_dsa.pub id_dsa.pub2 id_rsa.pub id_rsa.pub2 id_rsa.pub3 id_dsa.pub3 >authorized_keyschmod 644 authorized_keysscpauthorized_keys computer1:/var/lib/nova/.ssh修改权限chownnova:nova /var/lib/nova/.ssh/id_rsa/var/lib/nova/.ssh/authorized_keys数据库配置创建/etc/f.d/f文件[root@controller ~]# cat /etc/f.d/f[mysqld]bind-address = 192.168.100.181default-storage-engine = innodbinnodb_file_per_tablemax_connections = 4096collation-server = utf8_general_cicharacter-set-server = utf8启动mariadb# systemctl enable mariadb.service# systemctl start mariadb.servic为了保证数据库服务的安全性，运行``mysql_secure_installation``脚本。

特别需要说明的是，为数据库的root用户设置一个适当的密码。

# mysql_secure_installationPassword：123456完成下面的步骤以创建数据库：1.用数据库连接客户端以 root 用户连接到数据库服务器：#mysql -u root -p创建 keystone 数据库：mysql>CREATE DATABASE keystone;对keystone数据库授予恰当的权限：mysql>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';mysql>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';用合适的密码替换 KEYSTONE_DBPASS 。

（这边我们用keystone）创建 glance 数据库mysql> CREATE DATABASE glance;对glance数据库授予恰当的权限mysql> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \IDENTIFIED BY 'GLANCE_DBPASS';mysql> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \IDENTIFIED BY 'GLANCE_DBPASS';用一个合适的密码替换 GLANCE_DBPASS。

（这边我们用glance）创建 nova_api 和 nova 数据库：mysql> CREATE DATABASE nova_api;mysql> CREATE DATABASE nova;对数据库进行正确的授权mysql> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \IDENTIFIED BY 'NOVA_DBPASS';mysql> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \IDENTIFIED BY 'NOVA_DBPASS';mysql> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \IDENTIFIED BY 'NOVA_DBPASS';mysql> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \IDENTIFIED BY 'NOVA_DBPASS';用合适的密码代替 NOVA_DBPASS（这里我们用nova）创建neutron数据库mysql> CREATE DATABASE neutron;对neutron数据库授予合适的访问权限，使用合适的密码替换NEUTRON_DBPASSmysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ IDENTIFIED BY 'NEUTRON_DBPASS';mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \IDENTIFIED BY 'NEUTRON_DBPASS';(这里我们用密码：neutron)rabbitmq配置启动rabbitmq# systemctl enable rabbitmq-server.service# systemctl start rabbitmq-server.service添加openstack用户# rabbitmqctladd_useropenstack RABBIT_PASS用合适的密码替换RABBIT_PASS给``openstack``用户配置写和读权限#rabbitmqctlset_permissionsopenstack ".*" ".*" ".*"# rabbitmq-plugins list #查看支持的插件# rabbitmq-plugins enable rabbitmq_management #启动插件#systemctl restart rabbitmq-server.service#lsof -i:15672访问RabbitMQ,访问地址是http://192.168.100.181:15672默认用户名密码都是guest，浏览器添加openstack用户到组并登陆测试，连不上情况一般是防火墙没有关闭所致！之后退出使用openstack登录启动memcached# systemctl enable memcached.service# systemctl start memcached.service1.keystone配置编辑/etc/keystone/keystone.conf配置文件cat /etc/keystone/keystone.conf|grep -v "^#"|grep -v "^$"[DEFAULT][assignment][auth][cache][catalog][cors][cors.subdomain][credential][database]connection = mysql+pymysql://keystone:keystone@controller/keystone [domain_config][endpoint_filter][endpoint_policy][eventlet_server][federation][fernet_tokens]provider = fernet[identity][identity_mapping][kvs][ldap][matchmaker_redis][memcache][oauth1][os_inherit][oslo_messaging_amqp][oslo_messaging_notifications][oslo_messaging_rabbit][oslo_messaging_zmq][oslo_middleware][oslo_policy][paste_deploy][policy][profiler][resource][revoke][role][saml][security_compliance][shadow_users][signing][token][tokenless_auth][trust]初始化身份认证服务的数据库# su -s /bin/sh -c "keystone-manage db_sync" keystone初始化Fernet keys：# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone# keystone-manage credential_setup --keystone-user keystone --keystone-groupkeystone引导keystone服务# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \--bootstrap-admin-url http://controller:35357/v3/ \--bootstrap-internal-url http://controller:35357/v3/ \--bootstrap-public-url http://controller:5000/v3/ \--bootstrap-region-id RegionOneADMIN_PASS为登录密码和管理员密码（这边为admin）配置Apache HTTP 服务编辑/etc/httpd/conf/httpd.conf文件，配置ServerName选项为控制节点ServerName controller创建一个/usr/share/keystone/wsgi-keystone.conf连接# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/启动HTTP服务# systemctl enable httpd.service# systemctl start httpd.service配置管理账户$ export OS_USERNAME=admin$ export OS_PASSWORD=ADMIN_PASS$ export OS_PROJECT_NAME=admin$ export OS_USER_DOMAIN_NAME=default$ export OS_PROJECT_DOMAIN_NAME=default$ export OS_AUTH_URL=http://controller:35357/v3$ export OS_IDENTITY_API_VERSION=3ADMIN_PASS为管理员密码（这边为admin）创建服务项目$ openstack project create --domain default --description "Service Project"service创建演示项目$ openstack project create --domain default --description "Demo Project" demo创建demo用户$ openstack user create --domain default --password-prompt demo创建用户角色$ openstack role create user添加user用户到demo项目和用户中$ openstack role add --project demo --user demo user因为安全性的原因，关闭临时认证令牌机制：编辑 /etc/keystone/keystone-paste.ini 文件，从[pipeline:public_api]，[pipeline:admin_api]和[pipeline:api_v3]部分删除admin_token_auth 。